DPIA Threshold analysis: How to execute it using these nine questions

A threshold analysis represents a preliminary stage to data protection impact assessment (DPIA). Its primary purpose is to determine whether a data protection impact assessment is necessary. The analysis focuses on the question of whether there is a potentially high risk that the processing activity under investigation might have on the rights and freedoms of natural people. If this is the case, data protection experts say that the processing activity exceeds the threshold value of these risks – hence the name of the procedure as threshold analysis. 

When examining processing activities, this analysis is therefore used to first check whether a data protection impact assessment is necessary in the respective case.

In order to assess the potential risk of a processing activity (PA), the following two steps have become established in practice:

1. First, check whether the processing activity (PA) is included in a mandatory DPIA list (also known as a "blacklist"). If so, you must immediately carry out a data protection impact assessment for this PA.
2. If the PA is not included in the mandatory DPIA list, perform a threshold analysis in which you answer 9 questions to clarify the potential risks (see instructions further down in this article).

Tip: Your record of processing activities (RoPA) pursuant to Art. 30 GDPR provides you with all the necessary information that serves as the basis for the threshold analysis. This analysis is a preliminary step to the data protection impact assessment. If the result indicates a high risk, the subsequent DPIA is legally mandatory.

The 9-point catalog has proven itself in practice for threshold analysis. It is based on the specifications set out by the European Data Protection Board in its guidelines on data protection impact assessments (Working Paper 248 rev. 01) in 2017. You can perform the threshold analysis by answering these nine questions. If you have determined that your processing activity is included in the DPIA mandatory list (see above) or if you answer yes to at least two of the following nine questions, this means that you should carry out a DPIA.

To help you understand exactly what type of processing activity each question refers to, we provide you with the necessary information on the controversial criteria as well as relevant examples of how you might encounter them in data protection practice.

1. Does the processing operation evaluate, classify or characterize ('profiling') the data subjects?

   The term "profiling" covers certain processing operations in which personal aspects of the data subject are evaluated. These include their

   • work performance,
   • economic situation,
   • health,
   • personal preferences and interests,
   • reliability,
   • behavior, and
   • whereabouts or changes of location.

   Example

   Profiling occurs, for example, when your company creates a credit score for a person based on their economic situation or by storing their purchasing preferences. In this case, the first question in the nine-point catalog must be answered in the affirmative and you must perform a DPIA.

2. Is it automated processing that has a significant impact on the data subject?

   The first part of this question aims to clarify whether decision-making takes place entirely without human involvement. An automated decision is one that is made exclusively with the aid of technical means.

   The second part of the question is intended to assess whether the automated decision has a formative effect on the data subject. Such a significant impact exists if the data processing activities can have legal effects or if the impact is potentially of a factual nature.

   Example

   Fully automated online credit granting or an online recruitment process without any human intervention fall under this point and must be subject to a DPIA.

3. Are the data subjects systematically monitored, observed, or controlled by the processing?

   The term "systematically" plays an important role in this question. There are therefore several criteria for assessing whether monitoring, observation, or control is carried out systematically. This is the case if it

   • it is carried out within the framework of a system,
   • is predetermined, organized, or methodical,
   • is part of an overall plan for data collection, or
   • is carried out as part of a strategy.

   Example

   Systematic monitoring occurs in the case of video surveillance or when data collected via networks is used for processing.

4. Is sensitive personal data being processed that could lead to discrimination or abuse of the data subjects?

   This depends on the special categories of personal data that are particularly worthy of protection. These include data revealing

   • racial and ethnic origin,
   • political opinions,
   • religious or philosophical beliefs, or
   • trade union membership.

   This point also protects data subjects when the following data relating to them is processed:

   • Data relating to criminal convictions and offenses or related security measures
   • confidential data, for example, on a person's electronic communications, location, or finances, which could increase potential risks for data subjects

5. Is data being processed on a large scale?

   There are also several criteria for answering these questions, which you can and must use to assess data processing. The following criteria are taken into account when assessing whether data processing is carried out on a large scale:

   • Number of persons affected
   • Amount of data processed
   • Range of data elements processed
   • Duration or permanence of the processing
   • Geographical scope of data processing

6. Are data records compared or merged during processing?

   This criterion covers cases where data records collected by different controllers or for different purposes are merged. But why is this so special that it requires a DPIA? This is because data subjects would not normally expect such a merger to take place. However, the DPIA only needs to be carried out if the merger or processing

   • is being performed on a large scale,
   • is carried out for purposes for which the data was not collected directly from the data subjects,
   • is done using non-transparent algorithms, and
   • is done in order to make decisions with legal effect.

7. Is data relating to vulnerable persons being processed?

   If data relating to vulnerable persons is processed, a data protection impact assessment is important in order to assess and prevent possible risks. A person or group of persons is considered vulnerable if there is an imbalance of power in their position vis-à-vis those responsible. This includes, for example:

   • Children
   • Employees
   • People with mental illness
   • Asylum seekers
   • Senior citizens
   • Patients

8. Is the processing carried out through innovative use or application of new technological or organizational solutions?

   New technologies are another important item on the list. This can be explained by the fact that when they are used, it is often not yet clear whether and how the processing will affect the rights and freedoms of the individuals concerned.

   Example

   There are now numerous tools that use artificial intelligence. However, if your company uses this AI for customer support or to evaluate phone calls using algorithms, you must carry out a DPIA.

   You must also carry out a data protection impact assessment for access control using a combination of fingerprint and facial recognition.

9. Does the processing allow, modify, or deny data subjects the exercise of a right, the use of a service, or the performance of a contract?

   This question is intended to get to the bottom of data processing operations that have a particular impact on whether the data subject can exercise their rights or use a service.

   Example

   A particularly popular example is the following: A bank searches a database operated by a credit agency such as German credit assessment authority SCHUFA, Creditreform Boniversum, or Avarto infoscore for data on a potential customer. The bank wants to use the findings to decide whether to grant a loan. This means that the case in question has an impact on the data subject; the bank must therefore carry out a DPIA.

Good to know: A data protection impact assessment (DPIA) is a legally required procedure. It is enshrined in law in Article 35 of the General Data Protection Regulation (GDPR). You must always carry out a DPIA if it is foreseeable that data processing – due to its nature, scope, circumstances, or purpose – is likely to result in a high risk of violating the data protection rights of natural persons concerned. This is always the case, for example, when the processing activity involves special categories of personal data in accordance with Article 9(1) GDPR.

A threshold analysis is an important methodology in data protection practice. It is used to assess the risk of processing activities and helps you determine whether you need to carry out a DPIA. The 9-point catalog – i.e., 9 questions – has proven itself for carrying out this analysis. Since the evaluation of individual questions can sometimes be complex, digital solutions that can provide examples, tips, and background information are useful for threshold analysis. 

The data protection software from caralegal facilitates threshold analysis and optimizes the recording of risky data processing activities through direct integration into the record of processing activities (RoPA). Follow the link to find out how the DPIA threshold analysis works in caralegal.