The “Whitelist” and its Value during a Data Protection Impact Assessment

The EU General Data Protection Regulation (GDPR) solidifies the riskbased approach in data protection through several references that tie the obligation of data controllers to the risk exposure associated with their data processing. This reference, for examples, includes the requirement to conduct a data protection impact assessment (DPIA). However, the regulation does not require that a DPIA shall be carried out in all personal data processing scenarios, even though it is commonly acknowledged that the mere processing of personal data has an element of risk associated with it. Article 35 (1) of the GDPR only triggers the requirement of a DPIA when the processing operation is likely to result in “high risk”. Unfortunately, the GDPR does not define the term “risk” or “high risk”, despite that these are key notions that require clarification as to which data processing operation falls within each of them. That being the case, it is expected then that data controllers should conduct a preliminary assessment of their intended data processing to know if it could result in high risk. Article 35 (3) assists tremendously in carrying out this task by providing non-exhaustive examples of data processing considered to be of high risk, and by default, require a DPIA. These are processing that involves a systematic and extensive evaluation of personal aspects relating to natural persons; processing on a large scale of special categories of data; or systematic monitoring of a publicly accessible area on a large scale. On the other hand, Recital 91 gives an indication of processing that should not require a mandatory DPIA, as they are not presumed to be of a large scale, for example, data from patients or clients processed by an individual physician, other health care professional or a lawyer. However, as these examples are not complete, supervisory authorities (SAs) are tasked with publishing lists of processing operations that require a