white_paper_on_data_protection_in_india_171127_final_v2
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
(ii)<br />
Data Protecti<strong>on</strong> Impact Assessment<br />
A <strong>data</strong> protecti<strong>on</strong> impact assessment (DPIA) is a process centred <strong>on</strong> evaluat<strong>in</strong>g activities that<br />
<strong>in</strong>volve high risks to the <strong>data</strong> protecti<strong>on</strong> rights of <strong>in</strong>dividuals. The process can become<br />
necessary whenever a new project is taken up or a new policy is adopted by a <strong>data</strong> c<strong>on</strong>troller<br />
which may <strong>in</strong>volve the use of a new technology or may have a significant impact <strong>on</strong> the <strong>data</strong><br />
protecti<strong>on</strong> rights of <strong>in</strong>dividuals. A DPIA is aimed at describ<strong>in</strong>g the details regard<strong>in</strong>g the<br />
process<strong>in</strong>g activity, assess<strong>in</strong>g the necessity and proporti<strong>on</strong>ality of such an activity, and<br />
help<strong>in</strong>g manage the risks that are identified <strong>in</strong> relati<strong>on</strong> to this activity. 738 The DPIA is carried<br />
out before the proposed process<strong>in</strong>g activity is <strong>in</strong>itiated so that the relevant <strong>data</strong> c<strong>on</strong>troller can<br />
plan the process<strong>in</strong>g at the outset itself.<br />
Internati<strong>on</strong>al Practices<br />
European Uni<strong>on</strong><br />
Under Article 35 of the EU GDPR, there is a requirement to undertake a compulsory <strong>data</strong><br />
protecti<strong>on</strong> impact assessment prior to <strong>data</strong> process<strong>in</strong>g where a type of process<strong>in</strong>g is likely to<br />
result <strong>in</strong> a high risk for the rights and freedoms of <strong>in</strong>dividuals. Certa<strong>in</strong> k<strong>in</strong>ds of process<strong>in</strong>g<br />
activities are identified under the EU GDPR that would require such an assessment 739 and a<br />
supervisory authority is permitted to specify certa<strong>in</strong> further activities that would trigger<br />
similar obligati<strong>on</strong>s. 740 Certa<strong>in</strong> details regard<strong>in</strong>g the c<strong>on</strong>tents of the assessment are also laid<br />
down. Recital 84 of the EU GDPR makes it clear that the outcome of the DPIA must be<br />
taken <strong>in</strong>to account dur<strong>in</strong>g the actual process<strong>in</strong>g to dem<strong>on</strong>strate compliance and that where a<br />
DPIA <strong>in</strong>dicates risks that cannot be mitigated, a c<strong>on</strong>sultati<strong>on</strong> with the supervisory authority<br />
should be undertaken. 741<br />
Australia<br />
Secti<strong>on</strong> 33D of the Privacy Act empowers the OAIC to direct an agency to carry out and<br />
submit a privacy impact assessment if the relevant activity or functi<strong>on</strong> might have a<br />
significant impact <strong>on</strong> the privacy of <strong>in</strong>dividuals. The provisi<strong>on</strong> also provides a n<strong>on</strong>-exhaustive<br />
list of c<strong>on</strong>tents of the assessment.<br />
Canada<br />
Further, EU, Canada, Australia and South Africa do not appear to place any requirements for the registrati<strong>on</strong> of<br />
process<strong>in</strong>g entities.<br />
738 Article 29 Data Protecti<strong>on</strong> Work<strong>in</strong>g Party, ‗Guidel<strong>in</strong>es <strong>on</strong> Data Protecti<strong>on</strong> Impact Assessment (DPIA) and<br />
determ<strong>in</strong><strong>in</strong>g whether process<strong>in</strong>g is ―likely to result <strong>in</strong> a high risk‖ for the purposes of Regulati<strong>on</strong> 2016/679‘,<br />
European Commissi<strong>on</strong> (4 April 2017), available at: http://ec.europa.eu/newsroom/document.cfm?doc_id=44137,<br />
(last accessed 20 November 2017).<br />
739 Article 35(3), EU GDPR. A DPIA would be required for ―a systematic and extensive evaluati<strong>on</strong> of pers<strong>on</strong>al<br />
aspects‖ through automated process<strong>in</strong>g, large scale process<strong>in</strong>g of special categories of <strong>data</strong>, and process<strong>in</strong>g of<br />
<strong>data</strong> related to crim<strong>in</strong>al c<strong>on</strong>victi<strong>on</strong>s and offences.<br />
740 Articles 35 (4) and (5), EU GDPR.<br />
741 It may be noted that the UK DPA and South Africa‘s POPI Act do not make DPIAs mandatory.<br />
168