Draw up a description of the nature, scope, context and purposes of the processing of personal data. Identify the controller and any processors.
The description should include information about why and how personal data are to be processed. The description can be based on the life cycle of personal data processing: from the collection and processing of the data to the storage and destruction of the data. The description must explain
from where and how personal data will be collected
the purposes of processing, the uses of the data and a description of the processing operations
the resources to be used to process personal data (hardware, software, human resources, documents or channels used to transmit documents)
the individuals who will have access to the data
the parties to whom and the purposes for which the data will be disclosed
the retention period for the data, and
how the data will be securely destroyed.
The description should also explain how the processing operations and the associated decision-making process will be documented and how the impact assessment will be reviewed and updated, for example, if there is a change in a risk relating to the processing. If the processing is to be based on the controller’s or a third party’s legitimate interests, the systematic description must include a balance test.
Identify the envisaged measures for ensuring compliance with the General Data Protection Regulation. This should include ensuring the effective application of data protection principles and protection of data subjects’ rights and identifying the rights and freedoms related to the processing of personal data.
A. Evaluate the envisaged processing operations from the perspective of the effective application of data protection principles.
Ensure that there is a specified, explicit and legitimate purpose for the processing of personal data.
Only process data that are necessary for achieving the purpose of the processing.
Ensure that there are no mistakes in the data. Plan measures for correcting and deleting inaccurate and incorrect personal data.
Determine retention periods for the personal data so that they are only kept for as long as necessary for achieving the identified objectives. Try to minimise the personal data processed as soon as possible.
Protect the personal data by means of technical and organisational measures.
Take measures to promote the rights of data subjects.
Remember that the data protection rights of data subjects depend on the legal basis for the processing of personal data. Ensure that data subjects
are provided all relevant information
have access to their data and the right to move their data from one system to another
have the right to make corrections to their data, have their data erased, impose restrictions and object to the processing of their data.
Identify relationships to processors and ensure conditions for cooperation to protect data subjects’ rights.
Analyse safeguards relating to international transfers.
If the processing of personal data involves a high risk despite the measures taken, request prior consultation with the competent data protection authority before starting to process the data.
C. Identify any other rights and freedoms that relate to the processing of personal data
Rights and freedoms to be protected in connection with collecting personal data (e.g. domestic privacy, confidential communications).
Rights and freedoms relating to the purpose of the processing of personal data (e.g. property, health, right to self-determination, freedom of movement, right to be assessed on the basis of accurate information).
Any prohibited or unintentional side effects of the processing of personal data (e.g. discrimination).
Identify the risks associated with the processing of personal data taking into account the nature, scope, context and purposes of the processing and the origin of the risk. Analyse each risk separately. Once you have identified the risks, you can evaluate the measures needed to reduce the risks and their likelihood.
Carry out a risk assessment focusing on the rights and freedoms of data subjects relating to the envisaged processing of personal data and the associated risks.
Identify the threats that can lead to the data being accessed unlawfully, altered without authorisation and/or being lost.
Identify the potential consequences of the risks to data subjects.
Assess the likelihood and severity of each risk.
The following are examples of risks relating to the processing of personal data:
personal data breaches
unlawful destruction or alteration of personal data
accidental loss or alteration of personal data
unauthorised disclosure of, or access to, data
other loss of control over personal data
risks resulting from the actions of controllers or processors
ambiguities in the purpose of processing or lawfulness
failure to follow other data protection principles
inadequate information security
risks caused by members of staff
unauthorised processing of personal data
unauthorised access or outsider influence on the processing of personal data
personal data having been accessed by criminal or other means
unauthorised use of personal data or disclosure to third parties
risks not attributable to human action
malfunctions or faults in processing hardware, software or data transmission equipment
conventional risks relating to processing – fire, flooding and power cuts
data violations relating to data processing and transmission in general
endangerment of data processing
interference in a computer system
interference with communications
damage to data
offences against personal data
risks to personal data
nature (sensitivity and/or confidentiality)
incompatible purpose/context of processing
unauthorised processing without the controller’s consent
potential use of personal data for identity theft purposes, for example
unauthorised use of electronic services by means of unlawfully acquired user names and passwords
Identify the origin of each risk and evaluate the means to reduce the risk. Such means include, among others, the following:
deciding not to process certain kinds of data
specifying or limiting the scope of processing
shortening retention periods
adopting additional security measures based on a specific risk
anonymisation and pseudonymisation of personal data
adopting written processing guidelines
increasing human contribution to automated decision-making processes
switching to a different technology
adopting unambiguous agreements on the exchange of information
giving data subjects the right to prohibit processing, where possible
adopting systems and procedures that promote individuals’ data protection rights.
Document the aforementioned steps of the process and provide reasons for the choices made and the measures taken.
Explain what measures will be taken to reduce each risk and give an estimate of whether the proposed measures eliminate, lower or control the risk. Not all risks need to, or can, be eliminated. If the impact assessment reveals that the risk involved in the envisaged processing is high and the controller is unable to lower the risk by the measures available, the controller must request prior consultation with the competent data protection authority.
Use the results of the impact assessment to plan and implement practical measures. Once processing begins, it is important to monitor the adequacy of the chosen measures. A new impact assessment must be carried out at least if a new kind of risk emerges or if there is a change in a risk involved in the processing operations.