Data Protection Impact Assessment and its benefits
A Data Protection Impact Assessment (DPIA) is a process aimed to evaluate risks to the rights and freedoms of individuals, in particular the risks' origin, nature, particularity and severity, as well as to analyse measures, safeguards, controls and mechanisms envisaged to address these risks, ensuring the protection of Personal Data. The General Data Protection Regulation (GDPR) foresees the DPIA as a key instrument to enhance Data Controllers' [an entity that determines the purposes and means of the processing of personal data] accountability as it helps them build and demonstrate compliance. The DPIA also supports Data Controllers in establishing the rules for collecting Personal Data, in particular with regard to proportionality of collection to the purpose of processing and legal basis. Additionally, a sound Data Protection Impact Assessment facilitates data protection by design and complements risk management processes.
Who should use the Template and why
The DPIA Template is addressed to Smart Grid operators (Distribution System Operators, Generators, Suppliers, Metering Operators, Energy Service Companies). Since the collection and usage of Personal Data (e.g. household consumption, usage data) is one of the key business enablers for Smart Grid operators, they are very likely to be subject to GDPR obligations as Data Controllers.
The Template, albeit itself non-compulsory, will serve as an evaluation and decision-making tool of supporting Smart Grids operators in complying with the GDPR, implementing privacy by design principle, carrying out risk management processes or other voluntary commitments. The Template is also expected to contribute to coherent application of the GDPR across Member States and to promote a common methodology for adequate Personal Data processing for Smart Grids operators.
The Template defines the necessary process steps to find appropriate controls attributed by examples of controls measures and helps monitoring Smart Grid application from the start. Data Controllers in the Smart Grid environment that apply the Template may take competitive advantage by providing trust and gaining reputation for their commitment to Personal Data Protection.
How it works
The template is organised in different chapters. The Introductory Part in Chapter 1 provides the context necessary to understand the process of the DPIA in the Smart Grids' environment, its legal and business conditioning as well as relevant terminology.
The Explanatory Guidance in Chapter 2 and the Model Questionnaire in Chapter 3 are the operative parts of the Template that mirror one another. Having the Model Questionnaire presented side by side (with two screens or with two printed copies) with Explanatory Guidance will facilitate the understanding of the DPIA process and streamline its accomplishment.
How the Template was developed
The editorial team responsible for the Template was composed of industry representatives involved in the Smart Grid Task Force (SGTF), Expert Group 2 (EG2) dedicated to the identification of the appropriate regulatory scenarios and recommendations for data handling, data security and data protection.
The final version of the Template takes its origins from the Template's third version finalised by the EG2 members on 10th of March 2014. The Commission Recommendation of 10 October 2014 planned for a two year test phase of the DPIA Template to gather feedback amongst stakeholders. For over three years the Commission has facilitated the test phase and assisted the EG2 in reviewing the Template. The review consisted of accommodating the feedback from the test phase as well as updating the Template in accordance with the GDPR.
The Commission hosted a presentation of the final version of the Template on 13th of September 2018 in Brussels.
Be advised that although carrying out a DPIA is not always legally mandatory, compliance with other GDPR Requirements has to be assured at all times irrespectively of the DPIA execution.
The Template is the result of the consensus reached among experts of the Expert Group for Regulatory Recommendations for Privacy, Data Protection and Cyber-Security in the Smart Grid Environment (EG2) within the Smart Grids Task Force. The Template does not represent the opinion of the European Commission. Neither the European Commission, nor any person acting on the behalf of the European Commission, is responsible for the use that may be made of the information arising from this document.