Data protection impact assessment according to the GDPR

With the entry into force of the GDPR, there have been many significant changes in data protection for companies. These also include the instrument of the data protection impact assessment (DPIA).

Data protection impact assessments are intended to identify and assess critical data processing operations risks to take adequate measures to minimize them. For data controllers, there is an obligation to carry out and document an impact assessment before starting new processes for data processing in the company.

A good strategy for data protection impact assessment pays off in several respects. But what do companies need to consider? And how do you best go about establishing such a DPIA and sustainably integrating it into your company processes? Find out more in this article.

The most important facts in brief

• Since May 2018, the data protection impact assessment has been mandatory for most public authorities and private companies that collect, process, and use special categories of personal data.
• A data protection impact assessment must be carried out whenever processing operations pose high risks to the rights and freedoms of data subjects.
• The impact assessment provides a systematic prior assessment of data processing operations’ risks and sources of error.
• In addition, data protection impact assessments also aim to develop and integrate strategies that prevent risks in the specific processing operation.

What is the data protection impact assessment of the GDPR?

The legal requirements oblige companies to perform a detailed description and comprehensive assessment of existing data protection risks for specific data processing operations (a so-called data protection impact assessment). This impact assessment is not new but replaces the pre-audit that – depending on the country – had to be carried out before introducing the GDPR to prevent data protection risks.

In the impact assessment, data protection officers and process owners examine the risks associated with implementing certain data processing activities. Particular attention must be paid to the risks to the rights and freedoms of the data subjects. The goal is to analyze and evaluate the risks found. In the next step, high risks can be eliminated and processes optimized.

If elimination is not possible, all risks should at least be minimized and controlled. Companies must therefore take appropriate measures (TOM) at an early stage to contain the identified risks and adapt processes accordingly. 

This optimized and structured risk analysis must have at least the following contents:

1. the precise description of the planned processing operations and the respective processing purposes, as well as the company’s legitimate interests in the processes,
2. assessment of the necessity and need for the data processing in relation to the purpose,
3. assessment of risks to the freedoms and rights of data subjects,
4. establishment of appropriate risk mitigation measures, security measures, and emergency procedures.

This process takes place in a consultation process where the stakeholders are consulted in the context of the processing. It is the procedure to follow for every data protection impact assessment. In doing so, companies must pay attention to clean documentation because, in case of doubt, this not only serves the company’s accountability or the briefing of employees but also acts as proof of the adequately conducted impact assessment for the responsible supervisory authorities.

Good to know: If a legally compliant impact assessment cannot be presented, there is the threat of severe fines. Therefore, be conscientious when documenting the impact assessment to avoid sanctions.

On the Priverion platform, you can easily carry out impact assessments using templates and document them clearly. This way, you can quickly determine which processes are at increased risk and initiate appropriate measures.

Why is a data protection impact assessment necessary?

The General Data Protection Regulation (GDPR) takes a risk-based approach. This means that every operation involving personal data get reviewed for its risk. In this context, only those processes that pose a risk are subject to regulation. The data protection impact assessment is also a risk analysis.

The purpose of an impact assessment is explained in the GDPR (Recital 84) as follows:

Like all tools of the GDPR, the purpose of the impact assessment is to protect personal data of individuals and, in particular, their rights and freedoms. When processing special categories of personal data, all EU member states must comply with European law.

To the point: as an internal company risk analysis, an impact assessment intends to ensure that processing operations with a high risk for the data subjects are identified, monitored, improved, and risk-minimized.

What happens if an impact assessment is missing or incorrectly performed?

Failure to conduct or incorrect handling of the impact assessment constitutes a violation of the law and can lead to heavy fines. Therefore, companies need to integrate good impact assessments into their processes. 

First, it must be checked whether there is an obligation to carry out an impact assessment. Here, the GDPR lists many example cases, but the legal enumeration is not exhaustive. You are obliged to use your own standards when assessing individual situations. You can read more about this below.

In case of doubt, a competent supervisory authority may impose fines if, despite an obligation, no or inadequate impact assessments have been carried out. Missing or insufficient impact assessments can be punished with a fine of up to EUR 10 million or 2% of the annual global revenue generated in the previous fiscal year.

In addition, obligations to pay damage compensation to data subjects may arise if their data has not been adequately protected. In this respect, companies can reap the benefits of a solid data protection impact assessment because a risk analysis can also reveal other errors, glitches, and inefficiencies in individual processes.

To the point: The topic of data protection impact assessment should be taken seriously, not only to avoid fines. This prevention type also helps review and improve your processes and compliance measures.

Who needs to conduct a data protection impact assessment?

Not all companies have to conduct data protection impact assessments. The GDPR lists specific example cases in which prior checks must be carried out. The primary public and non-public entities that must work on data protection impact assessments are as follows:

• Companies and public authorities that use scoring procedures or perform similar procedures for profiling purposes,
• Those that process and store special category personal data on a significant scale (such as health data or data related to criminal offenses or criminal convictions),
• Companies and public authorities that systematically and extensively monitor publicly accessible spaces (especially in the case of video surveillance).

The companies mentioned above are required to evaluate whether or not a data protection impact assessment needs to be performed before any change is made to a process. Ideally, specially trained employees should do this. In a second step, internal or external data protection officers can additionally check the impact assessments.

When does an impact assessment need to be conducted?

There is an obligation to conduct an impact assessment whenever there is a high risk for the data subjects (Art. 35 GDPR). Risk in this context means any risk of an economic or social nature. So the point is that the data of the data subjects are at risk.

If such a high risk exists is, in many cases, a matter of interpretation. Although the GDPR gives examples of when a high risk is to be assumed, this does not cover all processes and operations. Therefore, it is up to the companies to independently assess whether a risk exists and, thus, whether the obligation to conduct an impact assessment is relevant.

Caution: The independent assessment is fully reviewable by the courts, and the responsible supervisory authorities also have access to these assessments. Companies should, therefore, proceed conscientiously with risk forecasts or consult a legal expert in data protection. We will be happy to support you in this process.

Data protection: When is there a high risk?

High-risk processes include, among others, the evaluation of personal aspects of natural persons, such as profiling, mainly when these are processed automatically. Extensive processing of sensitive personal data from specific categories (for example, health data) is also subject to high risk. Also included is systematic and comprehensive monitoring of publicly accessible areas.

In addition to these examples from the GDPR, companies have further guidance options regarding which operations require an impact assessment. For this purpose, the competent supervisory authorities regularly draw up a list of processing activities that require a data protection impact assessment. On it, for example, can be found:

• Processing of data subject to social, professional, or official secrecy
• Processing of biometric or genetic data
• Automated processing of data using artificial intelligence or algorithms
• Processing of data involving profiling, scoring, personality assessment, or employee behavior analysis
• When merging large amounts of data

Good to know: Some German supervisory authorities also publish lists that include processing operations that explicitly do not require an impact assessment. Feel free to contact the supervisory authority responsible for you for more information if needed.

If you are uncertain about the need for an impact assessment, you should consult with a data protection officer. Based on their in-depth experience, they will be able to assess the extent to which an impact assessment is necessary in your case.

Caution: Information provided by a data protection officer does not exempt companies from liability for data protection errors.

An impact assessment does not automatically mean that processing is justified. Depending on the processing and the type of data, further measures may need to be taken or consent obtained from the data subject. Nevertheless, companies must document the risks and keep them as low as possible. Avoidable risks identified by the impact assessment must also be eliminated in this case and the company’s internal processes optimized in line with the GDPR.

What should be taken into account when carrying out an impact assessment?

A data protection impact assessment is composed of four parts. If you have any unanswered questions when conducting it or need legal or technical support, feel free to contact us directly.

Your impact assessment should include the following steps:

1. Describe the processing processes and purposes

Describe the processing process as comprehensively as possible and outline precisely how the process works and runs, what data is processed and which natural persons or groups of persons are affected. It is also important to note the legal basis on which this processing is likely to or may take place.

In addition, there is information about the purpose of the processing: What exactly is the data processing intended to achieve? The data sources, the data recipients, and other companies involved or the cooperation with service providers or other data controllers must also be listed here.

2. Necessity and proportionality

Ask yourself whether the data processing is necessary to fulfill the purpose: Is there a need for the procedure? Or is the processing rather not conducive to your objectives? Superfluous data processing should always be refrained from to keep the risks as low as possible.

In a further step, the proportionality must be presented separately and in a legally sound manner. This is done in several stages:

1.  suitability: it must be studied first whether the procedure in its intended form is suitable to achieve the intended purpose. Processes that are not suitable in their form are not justified and may have to be revised.
2.  Necessity: The question here is whether there are milder, equally suitable options to achieve the purpose which are less burdensome for the persons affected, less intrusive, or less risky. Organizational measures such as deletion concepts or time limits, which mitigate the intensity of the intervention, can also be mentioned here. Here, too, the question should be asked whether an intervention is necessary to achieve the purpose.
3. appropriateness: If no milder, equally suitable options are available, the appropriateness must be assessed. Here, it must be weighed whether the processing is in proportion to the rights and freedoms of the data subjects and whether the rights of data subjects are not so serious overall that the processing should be refrained from.

3. The risk analysis

The risk analysis is the core of the impact assessment. The actual risks of the specific processing for the data subjects get illustrated and identified. It, therefore, makes sense to work through defined warranty targets so that the processing operations can be controlled and analyzed for their risk:

• Data confidentiality: Who has access to the data?
• Integrity: The content of the data must not be changed.
• Data availability
• Resilience: are the technical systems resilient and secure?
• Transparency: are the data processing operations traceable? Who processes which data and for what purpose? Have the data subjects been sufficiently informed?
• Data minimization: Is the scope of data processing necessary to achieve the purpose?
• Data subject rights: Are data subject rights sufficiently guaranteed?
• Non-linking: data must not be linked to other data and must not be used for other purposes

4. Establishment of remedial measures

Finally, describe how you (would like to) achieve the warranty targets. Also, determine the likelihood of occurrence of the damage and its amount. The risk to the data processing itself must be assessed first before the remedial measures taken or planned to protect the data are included in the assessment.

Once the measures have been integrated and implemented, the remaining risk is reassessed. Regular follow-up impact assessment and risk analyses should be performed along the way. Consequently, review and improve existing and new processes permanently and regularly.

You should also plan appropriate measures for emergencies in advance, i.e., if damage occurs. Train your employees on how to act in case of doubt to react quickly and adequately in the event of a data protection breach and minimize the damage.

Conclusion

What sounds simple at first can mean much work in individual cases. Data protection impact assessments require a certain amount of time, effort, and sufficient resources to comply with the law. Also, their consistent application and repetition should not be underestimated. With the Priverion platform, you have a helpful tool that simplifies these processes.

Precisely because impact assessments are time-consuming, companies should deal with them at an early stage. The GDPR obliges companies to implement various measures to protect personal data and prevent unnecessary data processing.