The European Data Protection Supervisor (EDPS) has published findings from its 2020 survey on how EU institutions, bodies, and agencies (EUIs) are implementing Data Protection Impact Assessments (DPIAs) under Article 39 of Regulation (EU) 2018/1725. The report, which received 40 responses despite the challenges of the COVID-19 crisis, highlights progress, gaps, and lessons learned in applying this accountability tool.

The survey shows that most EUIs have yet to finalize many DPIAs, with only four reporting more than two completed assessments. Many institutions are still in the process of drafting their first DPIA. The majority of existing assessments focused on HR and IT activities, such as recruitment, CCTV, medical data, training, and cloud services. Criteria most frequently triggering DPIAs included the processing of sensitive data, large-scale processing, and the use of novel technologies.

The report also found significant variation in the scope and depth of completed DPIAs. Lengths ranged from five to 55 pages, with the average around 16. While some assessments comprehensively examined risks to fundamental rights, others struggled to fully adopt the “risk mindset” required by the regulation—focusing more on institutional rather than data subject impacts. For example, several DPIAs related to CCTV surveillance failed to consider potential chilling effects on freedom of expression and assembly.

Data Protection Officers (DPOs) play a central role, often providing templates, guidance, and even drafting parts of DPIAs. While most DPOs expressed high satisfaction with their involvement, some warned that institutions rely too heavily on their input rather than placing responsibility on controllers. Suggestions for improvement included greater awareness-raising among staff, simplified methodologies, and more resources for DPOs.

Few institutions publish DPIAs or their summaries, citing confidentiality and security concerns, though some share documents internally. External consultants have been used in only a handful of cases, with mixed results. The EDPS concluded that contractor involvement is “not a silver bullet,” stressing the need for certified data protection expertise.

The survey also gathered feedback on EDPS guidance, with respondents calling for clearer, simpler language and more practical examples. Several agencies advocated for harmonized templates and the possibility of joint DPIAs for commonly used tools, such as Microsoft products, to avoid duplication across EU bodies.

The EDPS plans to use the findings to refine its guidance on DPIAs and indicated it will conduct similar surveys more frequently to monitor compliance and share best practices.

Need Help?

If you have questions or concerns about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.