Majority of EU Bodies Conduct Data-Protection Assessments, Report Says
Compared with four years ago, many more EU institutions have carried out the data protection impact assessments (DPIAs) required under rules governing data protection, the European Data Protection Supervisor said Monday in a report about its 2024 DPIA survey.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
In the previous survey, only 17 EU bodies said they had performed a DPIA, the EDPS noted, but now, the majority have.
The EDPS recommended that data controllers perform a DPIA when an institution's processing operations meet the criteria laid out in the EU Data Protection Regulation on data processing in EU bodies and EDPS guidelines.
The criteria will be met in some processing operations, such as when processing data through generative AI, because there are high risks to data subjects, the office said. When EU institutions identify high risks in a processing operation, they should conduct a DPIA rather than try to mitigate the risks to avoid one, because the impact assessment will provide a better idea of which mitigations to apply.
The survey examined other aspects of how EU bodies perform DPIAs and pointed out areas where improvement is needed. It also highlighted the need to fully involve data protection officers in DPIAs.
The survey, which didn't refer to EU institutions polled by name, was "exploratory in nature and is decidedly not about naming and shaming," the EDPS said.