To assess the Necessity and Proportionality of data processing within a DPIA, organizations need to evaluate two critical elements:
- Necessity: This refers to ensuring that the processing of personal data is essential for achieving the intended purpose and cannot be achieved through less intrusive means. It’s a measure of whether the data processing is absolutely required for the goal.
- Proportionality: This involves a more detailed test, which comprises three core components:
- Proper Purpose: The underlying purpose of the processing must be legitimate in itself.
- Rational Connection: There must be a clear link between the processing activity and the purpose it is intended to serve.
- Balancing: The benefits of the processing must be weighed against the potential harm it could cause to data subjects’ rights and freedoms. This includes considering the limitations of rights, which can be imposed as long as they are proportionate (i.e., the harm doesn’t outweigh the benefits).
In the case of novel data processing activities, such as those involving new technologies, it can be difficult to predict the benefits upfront. However, the processing must still be justified with a clear purpose and the risks must be balanced against potential benefits. The WP29 guidance (now the European Data Protection Board, EDPB) provides further recommendations, such as ensuring the processing is lawful, relevant, and only limited to what is necessary for the purpose. They also recommend that organizations regularly revisit these criteria, particularly if new technologies are involved, as the actual benefits may evolve over time.
Additionally, organizations should ensure compliance with specific GDPR principles during this process, such as ensuring fairness, transparency, data minimization, accuracy, and accountability, as outlined in Articles 5 and 6 of the GDPR.