[Edited to add: it is well worth reading the comments to this piece, especially the ones from Chris Pounder and Reuben Binns]
I needed a way to break a blogging drought, and something that was flagged up to me by a data protection colleague (thanks Simon!) provides a good opportunity to do so. It suggests that the drafting of the GDPR could lead to an enormous workload for the ICO.
The General Data Protection Regulation (GDPR) which entered into force on 24 May this year, and which will apply across the European Union from 25 May 2018, mandates the completion of Data Protection Impact Assessments (DPIAs) where indicated. Article 35 of the GDPR explains that
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data
In the UK (and indeed elsewhere) we already have the concept of “Privacy Impact Assessments“, and in many ways all that the GDPR does is embed this area of good practice as a legal obligation. However, it also contains some ancillary obligations, one of which is to consult the supervisory authority, in certain circumstances, prior to processing. And here is where I get a bit confused.
Article 36 provides that
The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk
[emphasis added]
A close reading of Article 36 results in this: if the data controller conducts a DPIA, and is of the view that if mitigating factors were not in place the processing would be high risk, it will have to consult supervisory authority (in the UK, the Information Commissioner’s Office (ICO)). This is odd: it effectively renders any mitigating measures irrelevant. And it appears directly to contradict what recital 84 says
Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing [emphasis added]
So, the recital says the obligation to consult will arise where high risk is involved which the controller can’t mitigate, while the Article says the obligation will arise where high risk is involved notwithstanding any mitigation in place.
Clearly, the Article contains the specific legal obligation (the recital purports to set out the reason for the contents of the enacting terms), so the law will require data controllers in the UK to consult the ICO every time a DPIA identifies an inherently high risk processing activity, even if the data controller has measures in place fully to mitigate and contain the risk.
For example, let us imagine the following processing activity – collection of and storage of customer financial data for the purposes of fulfilling a web transaction. The controller might have robust data security measures in place, but Article 36 requires it to consider “what if those robust measures were not in place? would the processing be high risk?” To which the answer would have to be “yes” – because the customer data would be completely unprotected.
In fact, I would submit, if article 36 is given its plain meaning virtually any processing activity involving personal data, where there is an absence of mitigating measures, would be high risk, and create a duty to consult the ICO.
What this will mean in practice remains to be seen, but unless I am missing something (and I’d be delighted to be corrected if so), the GDPR is setting the ICO and other supervisory authorities up for a massive influx of work. With questions already raised about the ICO’s funding going forward, that is the last thing they are likely to need.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 
I’ve highlighted this on GDPR courses, and it’s not just the workload itself that will cause the ICO problems – it’s the nature of that work. The Information Commissioner’s Office is always happiest when sat on the fence. Prior consultation requires them to provide written advice, and to give it in a relatively tight timescale. I’m sure they would prefer to give the same standard of ‘comply with the principles’ advice they have been offering for 20 years, but that’s clearly not what consultation is for, and I suspect they will be subject to strong criticism if they try to offer ambivalent or unclear advice.
There is an alternative interpretation of Article 35 which is horribly ambiguous.
The blog has interpreted A.35 as follows: if a controller does a PIA and identifies a high risk, it has to contact the ICO as the high risk is high in the absence of mitigation measures. (i.e. The controller ignores any mitigating measure to reduce the risk and contacts ICO as there is high risk).
If you look at Recital 94 it is clear the high risk is residual. (i.e. The controller does a PIA, identifies a high risk and implements measures to remove the risk there is no need to contact the ICO). It is only when the controller cannot reduce the high risk, that it contacts the ICO.
In general, never look at an Article without looking at the related Recitals; see Hawktalk blog (see “The Recitals are essential to your understanding the GDPR”: http://amberhawk.typepad.com/amberhawk/2016/01/the-recitals-are-essential-to-your-understanding-the-general-data-protection-regulation.html).
Chris P
By Jove, I think you’re right. I had read recital 94, and initially saw it as saying the same as 86. But I see your point and it seems to work.
My comments relate to A.36 not A.35. My error. Can you correct the post or post this amendent!
Being ignorant of the EU legislative system: is the legislation now finalised and immutable without new primary legislation to correct it, or can the ICO / others correct this problem before it becomes mandatory on states?
In answer to your question, it is now published, and, in your word, effectively immutable. However, on this specific point, see the comment from Chris Pounder, which I think provides an answer.
Being ignorant of EU legislative process: is the GDPR finalised and this immutable without primary legislation, or is there any opportunity to correct this problem before it becomes mandatory on all state parties?
I agree with Chris. The Article can be read either way so the recital provides the resolution. One may of course lament the death of appropriate punctuation (and clause order) …
I interpreted it along Chris’s lines, although it is quite ambiguous. It’s worth bearing in mind that DPA’s will be responsible for drawing up lists of processing operations which are likely or unlikely to present specific risks, to help data controllers ascertain whether they should undertake a PIA. The new European Data Protection Board will be responsible for ensuring that these lists are harmonised across member states (Article 57c (1)). This will probably mean that the vast majority of submissions for prior checking will fit into one of the categories of operations listed as risky by the DPA. The DPAs will therefore probably try to streamline their prior checking procedures in accordance with their ‘risk list’, which might make their case load a bit easier.