To assess the Necessity and Proportionality of data processing within a Data Protection Impact Assessment (DPIA), organizations must evaluate two critical elements that ensure responsible and compliant data handling practices.
This refers to ensuring that the processing of personal data is essential for achieving the intended purpose and cannot be achieved through less intrusive means. It’s a measure of whether the data processing is absolutely required for the goal.
This involves a more detailed test, which comprises three core components:
In the case of novel data processing activities, such as those involving new technologies, it can be difficult to predict the benefits upfront. However, the processing must still be justified with a clear purpose and the risks must be balanced against potential benefits. The WP29 guidance (now the European Data Protection Board, EDPB) provides further recommendations, such as ensuring the processing is lawful, relevant, and only limited to what is necessary for the purpose. They also recommend that organizations regularly revisit these criteria, particularly if new technologies are involved, as the actual benefits may evolve over time.
Additionally, organizations should ensure compliance with specific GDPR principles during this process, such as ensuring fairness, transparency, data minimization, accuracy, and accountability, as outlined in Articles 5 and 6 of the GDPR.