Data Protection Impact Assessments: A Meta-Regulatory Approach

International Data Privacy Law, Vol. 7(1), p. 22-35, 2017

34 Pages Posted: 9 May 2017

Date Written: December 13, 2016

Abstract

• Privacy and Data Protection Impact Assessments (PIAs/DPIAs) are tools for organisations to manage privacy risks. They emerged in various jurisdictions from the 1980s, initially as a purely voluntary measure. DPIAs are now set to become a mandatory requirement in certain circumstances under the European General Data Protection Regulation (GDPR). This article addresses impact assessments from the perspective of regulatory theory. Their transition from a voluntary tool to a mandatory requirement raises questions about their purpose and role, as well as implications for the direction of data protection in Europe more generally.

• Previous analyses have tended to assess such impact assessments in relation to a limited set of regulatory categories, namely self-regulation, command-and-control regulation, or some form of 'co-regulation'. Drawing from regulatory theory, this article suggests a more nuanced account of the mandatory impact assessment regime outlined in the GDPR.

• It argues that this regime can be understood as a form of 'meta-regulation'. The final section draws on a framework for assessing the prospects of meta-regulation, in order to assess the prospects for a meta-regulatory approach to impact assessments.

Keywords: Data Protection, EU, GDPR, Impact Assessment, Privacy, Regulation

Suggested Citation

Binns, Reuben, Data Protection Impact Assessments: A Meta-Regulatory Approach (December 13, 2016). International Data Privacy Law, Vol. 7(1), p. 22-35, 2017, Available at SSRN: https://ssrn.com/abstract=2964242

Reuben Binns (Contact Author)

University of Oxford ( email )

Mansfield Road
Oxford, Oxfordshire OX1 4AU
United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
661
Abstract Views
1,923
Rank
77,547
PlumX Metrics