The recently adopted General Data Protection Regulation (GDPR) stipulates that an assessment of the relevant privacy consequences should be carried out by the data controller before putting a new technology in place (art. 35 GDPR). This evaluation is compulsory if the data processing poses a high risk to the rights of natural persons. This assessment is not a one-time event and should be reiterated throughout the whole development and deployment process of the technology. A strong emphasis should be laid on data minimisation, risk minimisation and secure storage and processing of information. Crucial in this respect is that the DPIA is not a mere box-ticking legal compliance check, but rather an overall evaluation process that should also encompass ethical and social impacts. In this respect it would be advisable to integrate the DPIA with, for example, ethical impact assessment processes. It is best practice to use the DPIA to shape and revisit data sharing arrangements and how procedures within an organisation support ethical data sharing and uphold the rights of data subjects.
Guiding Questions
Have you conducted a data protection impact assessment prior to the deployment of the technology?
What information security measures have you adopted to address data protection concerns?
How regularly do you reassess the privacy compliant character of the technology?
Have you taken an approach that embeds privacy protection at all levels of the technological development?