Data protection impact assessment
The data protection impact assessment is one of the “new” obligations of the GDPR and, although it was introduced more than two and a half years ago, there is still some confusion so we have decided to write about this in this first post of the year.
What is it?
This assessment is an additional measure that must be carried out on a mandatory basis by certain companies or organisations that carry out data processing that is considered high risk.
- It should not be confused with risk analysis, which is an obligation for any company or organisation that processes personal data, without exception.
- One of the phases of the risk analysis is precisely to determine whether any of the processes analysed require a data protection impact assessment and, to ascertain which processes are subject, there are two main sources.
- Art. 35 of the GDPR that includes three types of processing that require a data protection impact assessment:
a) systematic and exhaustive evaluation of personal aspects of natural persons based on automated processing, such as profiling, and on the basis of which decisions are made that produce legal effects for natural persons or that significantly affect them in a similar way;
b) large-scale processing of the special categories of data referred to in article 9, paragraph 1, or of personal data relating to convictions and criminal offenses referred to in article 10, or
c) systematic observation on a large scale of a public access area.
- The list of processes that require this assessment, as published by the Spanish Data Protection Agency (AEPD).
In either of the two cases, these are processes that can objectively involve a high risk to the people subject to it.
- To decide whether or not a process requires Impact Assessment, you can also consult the list of processes that DO NOT require it, which is also published by the AEPD.
- The data protection impact assessment must be performed before processing begins, which makes all the sense in the world because, if the assessment concludes that the processing is intrusive to people and that it is already being carried out, this makes little sense.
What does a data protection impact assessment include?
The GDPR itself details the minimum content of the assessment, which must at least include:
- A definition of the processing carried out and their purposes.
- A justification that the processing is necessary to achieve such purposes.
- Details of the risks for those affected or data owners.
- Measures to mitigate or eliminate said risks.
Only those processes that have passed the data protection impact assessment may be carried out, in other words when the measures to mitigate or eliminate said risks have been implemented.
Who should conduct a data protection impact assessment?
Those obliged to carry out this impact assessment are responsible for the processing involved. Where applicable, the data protection officer must also take part, when consulted. Where whoever has access to data is considered to be the controller, they are not obliged to carry out the impact assessment, but to participate in it if it is required by a controller on behalf of the processor.
How does the AEPD work?
At present, the AEPD has limited itself to educational work in relation to said impact assessment, with the publication of a guide for this purpose and a online tool so that those responsible can decide whether or not to do it.
There are currently no penalties for not carrying out the impact assessment in Spain, although in some EU countries, such as Norway or Finland, some penalties have been imposed. We will see whether this is the next step of the AEPD…
If you have any questions about this or any other legal aspect, contact us here.
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.