With the entry into force of the GDPR, there have been many significant changes in data protection for companies. These also include the instrument of the data protection impact assessment (DPIA).
Data protection impact assessments are intended to identify and assess critical data processing operations risks to take adequate measures to minimize them. For data controllers, there is an obligation to carry out and document an impact assessment before starting new processes for data processing in the company.
A good strategy for data protection impact assessment pays off in several respects. But what do companies need to consider? And how do you best go about establishing such a DPIA and sustainably integrating it into your company processes? Find out more in this article.
The legal requirements oblige companies to perform a detailed description and comprehensive assessment of existing data protection risks for specific data processing operations (a so-called data protection impact assessment). This impact assessment is not new but replaces the pre-audit that – depending on the country – had to be carried out before introducing the GDPR to prevent data protection risks.
In the impact assessment, data protection officers and process owners examine the risks associated with implementing certain data processing activities. Particular attention must be paid to the risks to the rights and freedoms of the data subjects. The goal is to analyze and evaluate the risks found. In the next step, high risks can be eliminated and processes optimized.
If elimination is not possible, all risks should at least be minimized and controlled. Companies must therefore take appropriate measures (TOM) at an early stage to contain the identified risks and adapt processes accordingly.
This optimized and structured risk analysis must have at least the following contents:
This process takes place in a consultation process where the stakeholders are consulted in the context of the processing. It is the procedure to follow for every data protection impact assessment. In doing so, companies must pay attention to clean documentation because, in case of doubt, this not only serves the company’s accountability or the briefing of employees but also acts as proof of the adequately conducted impact assessment for the responsible supervisory authorities.
Good to know: If a legally compliant impact assessment cannot be presented, there is the threat of severe fines. Therefore, be conscientious when documenting the impact assessment to avoid sanctions.
On the Priverion platform, you can easily carry out impact assessments using templates and document them clearly. This way, you can quickly determine which processes are at increased risk and initiate appropriate measures.
The General Data Protection Regulation (GDPR) takes a risk-based approach. This means that every operation involving personal data get reviewed for its risk. In this context, only those processes that pose a risk are subject to regulation. The data protection impact assessment is also a risk analysis.
The purpose of an impact assessment is explained in the GDPR (Recital 84) as follows:
“In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk.”
Like all tools of the GDPR, the purpose of the impact assessment is to protect personal data of individuals and, in particular, their rights and freedoms. When processing special categories of personal data, all EU member states must comply with European law.
To the point: as an internal company risk analysis, an impact assessment intends to ensure that processing operations with a high risk for the data subjects are identified, monitored, improved, and risk-minimized.
Failure to conduct or incorrect handling of the impact assessment constitutes a violation of the law and can lead to heavy fines. Therefore, companies need to integrate good impact assessments into their processes.
First, it must be checked whether there is an obligation to carry out an impact assessment. Here, the GDPR lists many example cases, but the legal enumeration is not exhaustive. You are obliged to use your own standards when assessing individual situations. You can read more about this below.
In case of doubt, a competent supervisory authority may impose fines if, despite an obligation, no or inadequate impact assessments have been carried out. Missing or insufficient impact assessments can be punished with a fine of up to EUR 10 million or 2% of the annual global revenue generated in the previous fiscal year.
In addition, obligations to pay damage compensation to data subjects may arise if their data has not been adequately protected. In this respect, companies can reap the benefits of a solid data protection impact assessment because a risk analysis can also reveal other errors, glitches, and inefficiencies in individual processes.
To the point: The topic of data protection impact assessment should be taken seriously, not only to avoid fines. This prevention type also helps review and improve your processes and compliance measures.
Not all companies have to conduct data protection impact assessments. The GDPR lists specific example cases in which prior checks must be carried out. The primary public and non-public entities that must work on data protection impact assessments are as follows:
The companies mentioned above are required to evaluate whether or not a data protection impact assessment needs to be performed before any change is made to a process. Ideally, specially trained employees should do this. In a second step, internal or external data protection officers can additionally check the impact assessments.
There is an obligation to conduct an impact assessment whenever there is a high risk for the data subjects (Art. 35 GDPR). Risk in this context means any risk of an economic or social nature. So the point is that the data of the data subjects are at risk.
If such a high risk exists is, in many cases, a matter of interpretation. Although the GDPR gives examples of when a high risk is to be assumed, this does not cover all processes and operations. Therefore, it is up to the companies to independently assess whether a risk exists and, thus, whether the obligation to conduct an impact assessment is relevant.
Caution: The independent assessment is fully reviewable by the courts, and the responsible supervisory authorities also have access to these assessments. Companies should, therefore, proceed conscientiously with risk forecasts or consult a legal expert in data protection. We will be happy to support you in this process.
High-risk processes include, among others, the evaluation of personal aspects of natural persons, such as profiling, mainly when these are processed automatically. Extensive processing of sensitive personal data from specific categories (for example, health data) is also subject to high risk. Also included is systematic and comprehensive monitoring of publicly accessible areas.
In addition to these examples from the GDPR, companies have further guidance options regarding which operations require a consequence assessment. For this purpose, the competent supervisory authorities regularly draw up a list of processing activities that require a data protection impact assessment. On it, for example, can be found:
Good to know: Some German supervisory authorities also publish lists that include processing operations that explicitly do not require an impact assessment. Feel free to contact the supervisory authority responsible for you for more information if needed.
If you are uncertain about the need for an impact assessment, you should consult with a data protection officer. Based on their in-depth experience, they will be able to assess the extent to which an impact assessment is necessary in your case.
Caution: Information provided by a data protection officer does not exempt companies from liability for data protection errors.
An impact assessment does not automatically mean that processing is justified. Depending on the processing and the type of data, further measures may need to be taken or consent obtained from the data subject. Nevertheless, companies must document the risks and keep them as low as possible. Avoidable risks identified by the impact assessment must also be eliminated in this case and the company’s internal processes optimized in line with the GDPR.
A data protection impact assessment is composed of four parts. If you have any unanswered questions when conducting it or need legal or technical support, feel free to contact us directly.
Your impact assessment should include the following steps:
Describe the processing process as comprehensively as possible and outline precisely how the process works and runs, what data is processed and which natural persons or groups of persons are affected. It is also important to note the legal basis on which this processing is likely to or may take place.
In addition, there is information about the purpose of the processing: What exactly is the data processing intended to achieve? The data sources, the data recipients, and other companies involved or the cooperation with service providers or other data controllers must also be listed here.
Ask yourself whether the data processing is necessary to fulfill the purpose: Is there a need for the procedure? Or is the processing rather not conducive to your objectives? Superfluous data processing should always be refrained from to keep the risks as low as possible.
In a further step, the proportionality must be presented separately and in a legally sound manner. This is done in several stages:
The risk analysis is the core of the impact assessment. The actual risks of the specific processing for the data subjects get illustrated and identified. It, therefore, makes sense to work through defined warranty targets so that the processing operations can be controlled and analyzed for their risk:
Finally, describe how you (would like to) achieve the warranty targets. Also, determine the probability of occurrence of the damage and its amount. The risk to the data processing itself must be assessed first before the remedial measures taken or planned to protect the data are included in the assessment.
Once the measures have been integrated and implemented, the remaining risk is reassessed. Regular follow-up impact assessment and risk analyses should be performed along the way. Consequently, review and improve existing and new processes permanently and regularly.
You should also plan appropriate measures for emergencies in advance, i.e., if damage occurs. Train your employees on how to act in case of doubt to react quickly and adequately in the event of a data protection breach and minimize the damage.
What sounds simple at first can mean much work in individual cases. Data protection impact assessments require a certain amount of time, effort, and sufficient resources to comply with the law. Also, their consistent application and repetition should not be underestimated. With the Priverion platform, you have a helpful tool that simplifies these processes.
Precisely because impact assessments are time-consuming, companies should deal with them at an early stage. The GDPR obliges companies to implement various measures to protect personal data and prevent unnecessary data processing.