A data protection impact assessment (DPIA) is a process aimed to evaluate risks to the rights and freedoms of individuals, in particular the risks' origin, nature, particularity and severity, as well as to analyse measures, safeguards, controls and mechanisms envisaged to address these risks, ensuring the protection of personal data.
The General Data Protection Regulation (GDPR) foresees the DPIA as a key instrument to enhance data controllers' (an entity that determines the purposes and means of the processing of personal data) accountability as it helps them build and demonstrate compliance.
The DPIA also supports data controllers in establishing the rules for collecting personal data, particularly with regard to proportionality of collection to the purpose of processing and legal basis. Additionally, a sound DPIA facilitates data protection by design and complements risk management processes.
DPIA template and users
The DPIA template is addressed to smart grid operators like distribution system operators, generators, suppliers, metering operators and energy service companies. Since the collection and use of personal data, for instance household consumption or usage data, is one of the key business enablers for smart grid operators, they are very likely to be subject to GDPR obligations as data controllers.
Although the template is not compulsory, it will serve as an evaluation and decision-making tool that will support smart grid operators in GDPR compliance. This includes implementing privacy by design principle, carrying out risk management processes or other voluntary commitments. The template is also expected to contribute to coherent application of the GDPR across Member States and to promote a common methodology for adequate personal data processing for smart grids operators.
The template defines the necessary process steps to find appropriate controls, building on examples of control measures that will help monitor smart grid applications from the start. In addition, data controllers that use the DPIA template may enjoy a competitive advantage by providing trust and gaining reputation for their commitment to personal data protection.
The template is organised in different chapters. The introductory part in chapter 1 provides the necessary context to understand the process of the DPIA in the smart grids' environment, the legal and business conditions and relevant terminology.
The explanatory guidance in chapter 2 and the model questionnaire in chapter 3 are the operative parts of the template that mirror one another. Having the model questionnaire presented side by side (with two screens or with two printed copies) with the explanatory guidance will facilitate the understanding of the DPIA process and streamline its accomplishment.
Development and process
The editorial team responsible for the template was composed of industry representatives from Expert Group 2 in the Smart Grids Task Force, who are tasked with identifying appropriate regulatory scenarios and recommendations for data handling, security and protection.
The final version of the template is based on the third version, which was finalised by the expert group in March 2014. To gather feedback from stakeholders, the European Commission published a communication in October 2014 that outlined a two-year test phase. Since then, the Commission has facilitated the test phase and assisted the expert group in reviewing the template, notably by accommodating the feedback and updating the template in accordance with the GDPR.
The Commission hosted a presentation of the final version of the template on 13 September 2018 in Brussels.
It should be noted that although carrying out a DPIA is not always legally mandatory, compliance with other GDPR requirements has to be assured at all times irrespective of the DPIA execution.
The template is the result of the consensus reached among members of Expert Group 2: Regulatory Recommendations for Privacy, Data Protection and Cyber-Security in the Smart Grid Environment, in the Smart Grids Task Force.
The template does not represent the opinion of the European Commission. Neither the European Commission, nor any person acting on the behalf of the European Commission, is responsible for the use that may be made of the information arising from this document.