11 DPIA-triggers explained by Hollywood blockbuster movies
By Laurens Mommer, Last updated: 2021-05-27 (originally published on 2019-09-03)
|Background: A Data Protection Impact Assessment (DPIA) is a process aimed at analysing and minimising the data-protection risks inherent within an organisation’s business model of processing activities. The DPIA Triggers are situations following which businesses must carry out a DPIA. If you’re not sure where you stand, we actually offer an Information Audit Form on our platform – create an account for free and give it a try.|
Besides all the serious stuff in and around DPIA, we wanted to do something more fun. So we matched movie fragments with each of the eleven DPIA triggers that were issued by the European Data Protection Board. Seen all these movies? Relive the excitement. Never seen any of them? You have some catching up to do!
Automated decision making with legal or similar significant effect
DPIA Trigger #2
Data processed on a large scale
The Social Network
We do not know how accurate this depiction of the history of Facebook is, but if it is, the massive collection and manipulation of personal data starts with an outright sexist online response of the protagonist to his girlfriend dumping him, invoking the ‘creativity’ that ultimately is translated into the billions of dollars’ network. The script writer knows how to forecast Zuckerberg’s disdain to people’s privacy. Little explanation is needed that ‘data processing on a large scale’ applies to the biggest social network in the world.
DPIA Trigger #3
Special categories of data or personal data relating to criminal convictions or offences
Ah, if only Tom Cruise can run for his life and look agonised, the role fits him like a glove. In this flick, he’s a cop of the pre-crime unit, where villains are caught before the act – until he himself is the subject of an investigation and he has to get a new identity to find out what would drive him to kill someone. All very convincing to the fact that indeed processing of criminal conviction data should be subject to a data processing impact assessment. There would have never been a pre-crime department with such a useful instrument…
DPIA Trigger #4
Systematic monitoring (including of publicly accessible area)
Bruce Willis can look agonised too, and here he’s in a time travel paradox shaped by retro tubes in extravagant design that only Terry Gilliam can create. He’s on a quest to find the creators of a deadly virus that would wipe out almost the entire world population. Here comes the twist though:not only his surroundings, but he himself starts doubting his sanity. There’s a lot of systematic monitoring in this movie, especially in the dystopic future of 2035. Too real, too soon?
DPIA Trigger #5
A processing category on the list of the national supervisory authority
A hard one. But then again, we always have James Bond, and the sole supervisory authority that oversees a country exiting the EU. So, this has to be the use of innovative technology, which is on the ICO’s list, and fits perfectly with Q’s department. Smart blood would qualify, featured in the grimmest of all Bond movies. It makes James Bond traceable anywhere on earth. Wed say a proportionality test would prove that there are simpler, less intrusive technologies to attain the same, but we are not script writers.
DPIA Trigger #6
Matching or combining data sets
Not a blockbuster, but the cast with Donald Sutherland and Max von Sydow makes it definitely worth to watch the painstaking search of a detective, trying to find a Soviet serial killer. The fact that the killer walks away the first time is based on a very rare mismatch between samples. The detective goes through a painstaking process to find the killer through the bureaucracy of the Soviet Union in the eighties. Definitely a case where matching data sets properly could have greatly helped.
DPIA Trigger #7
Processing prevents data subjects from exercising a right or using a service or contract
Assume that the world as you know it, is just a reality ‘projected’ into your mind. Your body is a biological battery enslaved by machines. This would deprive you from free will, and no data subject access request filed to the Machines that keep you in prison will ever be answered. Keanu Reeves beats his deprivation by the Matrix by taking the red pill. But the rabbit hole is deep, and full of hardship. In the end, he luckily gets the answers he’s looking for – The Machine world complied with his data subject rights after all! You’ll have to watch all three parts to get there, though.
DPIA Trigger #8
Data concerning vulnerable subjects
Let’s not forget that data processing is not only done by computers. People can process data as well, and they can do so for vulnerable subjects too. E.T. and the children looking after him definitely count as vulnerable in this Spielberg classic. The authorities, parents and other unidentified adults are the threat to the most likeable extraterrestrial being that movie history has ever seen. Some regard E.T. as Spielberg’s depiction of Jesus Christ. We keep it to deeply felt humanism, a rarity in sci-fi.
DPIA Trigger #9
Innovative use or applying new technological or organisational solution
Christopher Nolan knows how to depict an original concept. In this film, the main character, played by Leonardo di Caprio, is a convicted man on the run, earning his money with breaking into people’s dreams. His grand accomplishment is ‘inception’, planting a seed for an idea that then becomes a life changer for the affected subject. This accomplishment is both his ticket to freedom and seeing his children again, and the reason behind his conviction. Surely inception would qualify as a technique that has to be assessed for its data protection consequences…
DPIA Trigger #10
Evaluation/scoring (including profiling and predicting)
This dystopian film shows a world where a single search and social media company takes control of everyone’s lives. Under the motto ‘sharing is caring’, main character Emma Watson happily lets the network stream her life day and night. But after an old-fashioned communist ‘self criticism’ vlog, still feeding her immense popularity, she starts realising that the owners themselves do have stuff to hide. Finally, she comes to realise that this may not be such a good idea after all. If you want to have a laugh, watch this film (and no, it’s not a comedy).
DPIA Trigger #11
Sensitive data or data of a highly personal nature
It’s always nice to see how science fiction magnifies the design and fashion of the year it stems from. This is valid for The Net too, in that the internet doesn’t look quite like the internet we know now, or even as it was in 1995, the year this movie was released. The main character is Sandra Bullock. Of course, there is a romance, a conspiracy and a happy ending. And a warning about what you can do once you get your hands on a person’s personal data, including turning her into a criminal. In the computer, that is.
This article does not constitute legal advice.
PrivacyPerfect, is one of the first high-end privacy compliance software providers on the market.