SATORI discusses data protection impact assessment challenges at Brussels Privacy Hub

Rowena Rodrigues, Trilateral Research represented the SATORI project at the Brussels Privacy Hub Workshop on the implementation of the EU GDPR: Privacy Impact Assessments and gave a joint presentation on “Data Protection Impact Assessments (DPIAs): Examining the Challenges” on 4 October 2016 with Julia Muraszkiewicz (Trilateral Research/iTRACK project). Rowena provided a brief overview of SATORI, and drew the attention of participants to the SATORI CWA that is open for consultation. The presentation, inter alia, drew learnings from SATORI results particularly its research into impact assessment and ethical impact assessment results, to help understand the challenges that might be faced in conducting a DPIA. The key challenges discussed were: the need to determine and ensure adequate expertise to conduct a DPIA; ensuring the type of impact assessment is most appropriate (e.g., scope, scale); adequacy and thoroughness of a DPIA; optimising stakeholder engagement and ensuring its quality. Julia Muraszkiewicz presented a case-study based on the ethics and privacy impact assessment (E/PIA) in the iTRACK project. This was followed by a Q&A session.

The second part of the workshop consisted of open discussion with the audience, and was chaired and steered by Raphaël Gellert and Niels Van Dijk from VUB-LSTS and the D/PIALAB. Two themes in particular garnered particular attention: the difference between a PIA and a DPIA, and the issue of public participation in DPIA. The questions raised and views expressed focused on whether the scope of DPIAs is limited to complying with the GDPR; the added value of the DPIA; who the public might be in relation to public participation in the process (here comparisons were made with environmental law, which has a broad scope ratione personae (i.e., it can extend to all concerned persons, not only affected persons). There was also some important discussion on the scope ratione materiae of this provision, i.e., to which processing operations should it apply? It seems further guidance from the EDPB will be needed to define further the high risk processing operations where such participation is seen as appropriate