Welcome to the Gibraltar Regulatory Authority website

GDPR Guidance (4) Data Protection Impact Assessment

The General Data Protection Regulation (the “GDPR”) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive 95/46/EC (the "Directive"). This is the fourth of a series of Guidance Notes that the Gibraltar Regulatory Authority (“GRA”), as the Data Protection Commissioner, will issue in the run up to the 25th May 2018.

This Guidance Note provides general advice on the requirement for organisations to carry out a Data Protection Impact Assessment (“DPIA”) for any high-risk data processing activity. It is important to note that DPIAs are not a new concept, as they are already a recognised procedure that organisations use to comply with current data protection law under the Directive. A DPIA is a procedure designed to assist organisations identify and minimise the privacy risks of new projects or policies. A DPIA is an important tool for accountability that will help organisations comply with GDPR requirements, including the requirement for organisations to demonstrate that appropriate measures have been implemented to ensure compliance with data protection. Where the DPIA identifies risks which the organisation cannot fully mitigate, the organisation will be obliged to consult with the Lead Supervisory Authority before engaging in the process.

It is important to note that conducting a DPIA is not mandatory for all data processing, it is only required where this is “likely to result in a high risk to the rights and freedoms of natural persons” (see Article 35(1) of the GDPR). For example, this will be a requirement when a new technology is being used, where a profiling operation is likely to significantly affect individuals, or where there is large scale monitoring of a publicly accessible area. Although undertaking a DPIA is not always compulsory, organisations may find it useful to conduct one as it will ensure processing is GDPR compliant.

The aim of this guidance note is to provide advice on the GDPR’s requirement relating to DPIAs and to assist data controllers with their role throughout this task, as they are ultimately responsible for ensuring that DPIAs are carried out according to GDPR requirements.