Data protection impact assessment (impact assessment)
Data protection impact assessment
It is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing such risks and determining the measures to address them).
It is important for accountability, as it helps not only to comply with the requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the GDPR.
A well-done impact assessment allows a preventative analysis of data processing and to correct the GDPR non-compliant processes, before a processing activity is carried out (data protection by design), mitigating the risk of being fined by the supervisory authority.
The GDPR does not require an impact assessment to be carried out for every processing operation. In the cases where it is not clear whether an impact assessment is required, it is highly recommended that an impact assessment is carried out nonetheless, as it is a useful tool to help comply with data protection law.
It is an obligation, on a regular basis, to appropriately manage risks presented by processing personal data. Risk management can be defined as the coordinated activities to direct and control a company, an organisation, an entity with regard to risk.
When a data protection impact assessment is mandatory
The GDPR requires to carry out an impact assessment where processing is «likely to result in a high risk to the rights and freedoms of natural persons».
The GDPR provides some examples when a processing operation is likely to result in high risks, but it leaves the Member States to issue lists of processing activities which need an impact assessment. The cases which require a mandatory impact assessment are:
1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
2. processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences
3. a systematic monitoring of a publicly accessible area on a large scale.
The Italian supervisory authority has already issued a set of processing operations (Italian version) entailing an impact assessment.
How to analyse the risk
A risk is a scenario describing an event and its consequences for the rights and freedoms of natural persons, estimated in terms of severity and likelihood.
The notion of risk assessment does not have to be confused, or better, limited to the security measures which are only a part to be taken into account.
General effects of the risk to be considered are: origin, nature, severity, likelihood and impact on the rights and freedoms of the data subject. The sum of these elements determines the level of the risk.
The Italian supervisory authority has issued – in cooperation with CNIL (French supervisory authority) – a software to help carry out an impact assessment: this tool (Italian version) can be freely downloaded here.
Where an impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory authority should be consulted before the processing activities are performed. As a part of the consultation process, the controller shall provide the supervisory authority with the outcome of the impact assessment carried out and the envisaged measures to mitigate the risk. The supervisory authority shall provide written opinion within eight weeks of the receipt of the request for consultation.
How to manage and prevent the risk
In order to meet the principle of accountability, it is mandatory to implement organisational and technical measures so that the risk is minimised and mitigated.
The measures to be considered are:
1. technological procedures (e.g.: policy of logistics and technical / electronic security)
2. organisational measures (e.g.: training and best practice policies)
3. adherence to the principles relating to processing of personal data (e.g.: data minimisation).