Working Party Adopts Revised Guidelines on Data Protection Impact Assessments Under the GDPR
Time 2 Minute Read
Categories: European Union, International

On October 4, 2017, the Article 29 Working Party (the “Working Party”) revised and adopted the final version of the Guidelines on data protection impact assessments (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the “Guidelines”). The Guidelines were first published for comment on April 4, 2017, and the final publication of these revised Guidelines follows the public consultation that ended in May 2017.

In general, the revised and final Guidelines do not differ substantially from the original Guidelines published in April 2017. The following amendments, however, are worth noting:

  • The Working Party emphasized the importance of DPIAs as a risk management tool. In addition, the Working Party stated that even where the conditions triggering the obligation to carry out a DPIA have not been met, data controllers are not exempt from implementing appropriate risk management measures, as well as continuously assessing the risks associated with their data processing activities.
  • The list of criteria to consider when determining whether processing activities are likely to result in a high risk has been amended. The Working Party has now removed the criterion of “data transfer across borders outside the European Union” that was included in the original version of the Guidelines.
  • The list of examples of processing activities likely to trigger the obligation to conduct DPIAs was expanded with the following example: “An institution creating a national level credit rating or fraud database.”

The Working Party strongly emphasized the importance of continuously assessing whether data processing activities trigger the need to conduct a DPIA in light of potential changes affecting such activities (i.e., change to the risks resulting from the processing operations or changes in the implementation of the processing activities affecting their scope, purpose, the type of personal data collected, the identity of the data controller(s), data retention period, technical and organizational measures, etc.), independent of prior DPIAs or prior checking performed by the supervisory authority or the data protection officer.

Tags: Article 29 Working Party, Data Controller, Data Processor, Data Transfer
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 2 Minute Read
China CAC Issues Guidance on CBDT Security Management

On January 30, 2026, the Cybersecurity Administration of China released a Q&A document on policies and regulations for the security management of cross-border data transfers. 

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 1 Minute Read
Brazil and the European Union Reach Agreement to Recognize Mutual Adequacy in Personal Data Protection

On January 26, 2026, the Brazilian data protection authority (“ANPD”) announced that Brazil and the European Union agreed to mutually recognize the adequacy of each other’s data protection networks.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
UK ICO Issues Updated Guidance on International Transfers

On January 15, 2026, the UK Information Commissioner’s Office published updated guidance on international transfers of personal data under the UK GDPR.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Indiana Privacy Law To Take Effect January 1, 2026

Indiana’s comprehensive consumer privacy law, the Indiana Consumer Data Protection Act, is set to take effect on January 1, 2026. In advance of the law’s effective date, the Indiana Attorney General’s Office has published a Consumer Bill of Rights that provides guidance to both consumers and businesses.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page