The data protection impact assessment is one of the \u201cnew\u201d obligations of the GDPR and, although it was introduced more than two and a half years ago, there is still some confusion so we have decided to write about this in this first post of the year.<\/p>\n\n\n\n
This assessment is an additional measure that must be carried out on a mandatory basis by certain companies or organisations that carry out data processing that is considered high risk.<\/p>\n\n\n\n
a) systematic and exhaustive evaluation of personal aspects of natural persons based on automated processing, such as profiling, and on the basis of which decisions are made that produce legal effects for natural persons or that significantly affect them in a similar way;<\/em><\/p>\n\n\n\n b) large-scale processing of the special categories of data referred to in article 9, paragraph 1, or of personal data relating to convictions and criminal offenses referred to in article 10, or<\/em><\/p>\n\n\n\n c) systematic observation on a large scale of a public access area.<\/em><\/p>\n\n\n\n In either of the two cases, these are processes that can objectively involve a high risk to the people subject to it.<\/p>\n\n\n\n The GDPR itself details the minimum content of the assessment, which must at least include:<\/p>\n\n\n\n Only those processes that have passed the data protection impact assessment may be carried out, in other words when the measures to mitigate or eliminate said risks have been implemented.<\/p>\n\n\n\n Those obliged to carry out this impact assessment are responsible for the processing involved. Where applicable, the data protection officer must also take part, when consulted. Where whoever has access to data is considered to be the controller, they are not obliged to carry out the impact assessment, but to participate in it if it is required by a controller on behalf of the processor. <\/p>\n\n\n\n At present, the AEPD has limited itself to educational work in relation to said impact assessment, with the publication of a guide<\/a> for this purpose and a online tool<\/a> so that those responsible can decide whether or not to do it.<\/p>\n\n\n\n There are currently no penalties for not carrying out the impact assessment in Spain, although in some EU countries, such as Norway or Finland, some penalties have been imposed. We will see whether this is the next step of the AEPD…<\/p>\n\n\n\n If you have any questions about this or any other legal aspect, contact us here<\/a>.<\/p>\n\n\n\n <\/p> What does a data protection impact assessment include?<\/strong><\/h3>\n\n\n\n
Who should conduct a data protection impact assessment?<\/strong><\/h3>\n\n\n\n
How does the AEPD work?<\/strong><\/h3>\n\n\n\n
<\/ul><\/div>\n