Data protection impact assessment
The data protection impact assessment is one of the “new” obligations of the GDPR and, although it was introduced more than 2 and a half years ago, there is still some confusion so we have decided to write about this in this first post of the year.
What is it?
This evaluation is an additional measure that must be carried out on a mandatory basis by certain companies or organizations that carry out data processing that is considered high risk.
- It should not be confused with risk analysis, which is an obligation for any company or organization that processes personal data, without exception.
- One of the phases of the risk analysis is precisely to determine if any of the analyzed treatments require a data protection impact assessment and to know which treatments are subject, we have two main sources.
- The art. 35 of the GDPR that includes three types of processing that require a data protection impact assessment:
a) systematic and exhaustive evaluation of personal aspects of natural persons based on automated processing, such as profiling, and on the basis of which decisions are made that produce legal effects for natural persons or that significantly affect them in a similar way;
b) large-scale processing of the special categories of data referred to in article 9, paragraph 1, or of personal data relating to convictions and criminal offenses referred to in article 10, or
c) systematic observation on a large scale of a public access area.
- The list of treatments that require this evaluation, published by the Spanish Agency for Data Protection (AEPD).
In either of the two cases, we are talking about treatments that objectively can involve a high risk for the people who are subject to it.
- To decide whether or not a treatment requires an Impact Assessment, we can also consult the list of treatments that DO NOT require it, also published by the AEPD.
- The data protection impact assessment must be carried out before the treatment begins, which makes all the logic because if the evaluation concludes that the treatment is intrusive to people and that treatment is already being carried out, it makes little sense.
What does a data protection impact assessment include?
The GDPR itself details the minimum content of the evaluation, which must at least include:
- A definition of the treatments carried out and their purposes.
- A justification that the treatment is necessary to achieve such purposes.
- Details of the risks for those affected or data owners.
- Measures to mitigate or eliminate said risks.
Only those treatments that have passed the data protection impact assessment may be carried out, in other words when the measures to mitigate or eliminate said risks have been implemented.
Who should conduct a data protection impact assessment?
Those obliged to carry out this impact assessment are those responsible for the treatment that carry out the mentioned treatments. If it does, the data protection officer must also participate in it, being consulted. In the event that whoever has access to data is considered to be in charge of the treatment, they do not have the obligation to carry out the impact assessment, but to participate in it if it must be carried out by a person responsible for the treatment on behalf of whoever processes the data.
How does the AEPD work?
For the moment, the AEPD has limited itself to doing pedagogical work in relation to said impact assessment, with the publication of a guide for this purpose and a online tool so that those responsible can decide whether or not to do it.
Currently there are no sanctions for not carrying out the impact assessment in Spain, although in some EU countries, such as Norway or Finland there have been some sanctions. We will see if this will be the next step of the AEPD…
If you have any questions about this or any legal aspect, contact us here.
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.