The Bigger Picture: Approaches to Inter-organizational Data Protection Impact Assessment

Abstract

Contemporary data processing activities rarely involve a single entity but, rather, rely on complex inter-organizational collaborations between (joint) controllers, processors, sub-processors, recipients, and third parties. However, current approaches in support of Data Protection Impact Assessment (DPIA) traditionally address data protection risks through the perspective of a single entity. As a result, the assessment of complex, inter-organizational data processing activities is scattered across multiple isolated efforts conducted by different parties. This leads to mismatches between the factual descriptions of data processing activities among the concerned entities, but also dilutes the argumentation related to the general principles governing the processing of personal data. In this article, we explore and discuss the benefits and downsides of approaches that foster inter-organizational collaboration when conducting a DPIA. We also highlight the main requirements, namely: (i) establishing consensus on and consistency in the descriptions of data processing operations and the legal argumentations, (ii) controlling the sharing of information between organizations, (iii) addressing data protection compliance from an end-to-end, holistic perspective and (iv) allowing for dynamism and continuous, flexible re-evaluation. Finally, we discuss and contrast two alternative approaches for inter-organizational and collaborative DPIA: a fully centralized versus a fully federated approach.