Data protection impact assessment (impact assessment)
Should a physician or a chemist carry out an impact assessment?
In such cases the obligation does not apply, because even though data concerning health are processed, processing is not on a large scale: this means that it does not concern a high number of individuals.
Can an impact assessment address multiple processing operations?
An impact assessment can address a single data processing operation, but the GDPR states that a single impact assessment may address a set of similar processing operations which present similar high risks. Therefore, it is possible to analyse a set of processing operations which are similar in terms of nature, scope, context, purposes and risk. It is not necessary to carry out an impact assessment in cases, such as processing operations performed in a specific context and for a specific purpose, which have already been analysed. For instance, there is no need to carry out a new impact assessment where similar technology is used to collect the same sort of data for the same purposes.
Can an insurance policy be subscribed to cover the risk?
In order to manage the risks to the rights and freedoms of persons, the risks have to be identified, analysed, estimated, evaluated, mitigated and reviewed regularly. Controllers cannot escape their responsibility by covering risks under insurance policies. Their responsibility remains unchanged.
To learn more, click here or contact me.
Leave a Reply