For any new products or new initiatives that you intend to take on, undergoing a DPIA can be really helpful to make sure that your data processing is lean and doing exactly what it's supposed to do and you're not exposing yourself to any unnecessary liability, but of course, you must do a documented DPIA if you were engaging in high-risk processing.

For example, you're engaging in systematic and extensive automated evaluation that will have legal effects on a data subject or similarly significant effects on a data subject, you're engaging in large scale processing of sensitive data. Sensitive data for example would include data that would indicate one's race or ethnic background and also has been expanded to include under the GDPR biometric data or genetic data.

If you as a company are engaging evaluation or scoring of data subject which would include profiling and making predictions. That's pretty relevant for financial services firms and potentially fintechs. Some examples, real world examples could include a bank or a financial firm that screens your customers against a credit reference database or a biotechnology company that offers genetic tests directly to consumers in order to assess and predict their disease or health risk or a company building behavioral or marketing profiles based on the usage or navigation on its website. That's an example of evaluation or scoring where you would want to engage in a DPIA.

We're appropriate you would seek the views of data subjects or themselves or data subjects representatives, of course that sounds great in theory and you may be wondering if I'm doing this, how would I actually engage with the data subject and we do get clients asking us that we would recommend that you would seek counsel in undergoing the DPIA at least at first to understand what's necessary, what's not or to consult your DPO which you may have appointed.

Your data protection officer who can help, who can assist in ensuring that you're getting the right views when you're undergoing this assessment. One exclusion where you do not need to engage in a DPIA is the DPIA is based upon a law that specifically regulates processing operations and a DPIA has already been carried out for that. Finally, if after you've undergone a DPIA and it shows that the high risks have not been mitigated, excuse me, you may have to seek the relevant data protection commissioner or authority's opinion about what to do.

Next slide. I mentioned this already. A data protection officer, like DPIAs, the requirement to point, to appoint a DPO may be familiar to some because it was required in some EU jurisdictions, but it may be new to others as only some, yes, as only some national regimes required DPOs under the previous, the directive.

Basically, financial institutions and fintechs may need to appoint DPO if they're engaging in large scale processing of sensitive data or by the virtue of their processing. They require to do regular and systematic monitoring of data subjects on a large scale. That DPO must be obviously, hopefully expert in data protection laws and practices.

The DPO must report directly to the highest management level so this makes it a boardroom issue. They must be properly involved with all activities dealing with personal data. For example, if the company is undergoing a DPIA, the DPO should be involved. You must provide the DPO with sufficient resources.

Don't push them off into the corner in IT and don't give them anything, but a desk. They must be provided with resources to be able to complete their job. There can be a group DPO. It may not necessarily be an individual and if you're worried about redundancy or wanting to make sure that that DPO is ... You're getting your money's worth, they can perform other tasks as long as there's no conflict of interest.

It's a protective role. If that DPO is advising you that basically they think the company is at risk for being fined, you can't fire them if they're acting appropriately within their job. You can't fire them just because you don't like what they say which should be obvious. Finally, it may not necessarily be an internal appointment you can outsource the job of the DPO.

Just to note. Even when a GDPR does not specifically require the appointment of one, some organizations we find have been appointing a DPO on a voluntary basis particularly to centralize the responsibility for the new obligations under the GDPR.