Data protection impact assessment
A data protection impact assessment is a statutory risk assessment that must be carried out for activities where the processing of personal data is likely to present a high risk to the rights and freedoms of individuals. Such a high risk exists, for example, where:
it involves automated decision-making, such as profiling, and has a significant impact on the individuals subject to it
processing sensitive personal data on a large scale
the processing of personal data involves the use of new technologies
a publicly accessible place is systematically monitored on a large scale
Data protection authorities in different countries may provide more specific guidance on the type of processing operations for which an impact assessment should be carried out. In Finland, for example, the Data Protection Ombudsman has decided that an impact assessment must be carried out:
for certain types of processing of biometric data
for certain types of processing of genetic data
for a specific type of processing of location data
when derogating from the obligation to inform data subjects on the basis of Article 14(5b) of the GDPR
processing of data in a whistleblowing channel
There are no formal requirements for an impact assessment, but it must include the following elements:
a systematic description of the processing of personal data and the purposes of the processing
an assessment of the necessity and proportionality of the processing in relation to the purposes
a risk assessment, including an evaluation of the risks to the rights and freedoms of data subjects
the measures envisaged to address the identified risks
An impact assessment carried out at the planning stage of a project is the most useful because a well-done impact assessment will also provide data protection requirements for the project and may generally help to clarify the objectives of the project. If the risks associated with the processing later change, the impact assessment will need to be redone in this respect.