Carrying out an impact assessment

Draw up a description of the nature, scope, context and purposes of the processing of personal data. Identify the controller and any processors.

The description should include information about why and how personal data are to be processed. The description can be based on the life cycle of personal data processing: from the collection and processing of the data to the storage and destruction of the data.  The description must explain

• from where and how personal data will be collected
• the purposes of processing, the uses of the data and a description of the processing operations
• the resources to be used to process personal data (hardware, software, human resources, documents or channels used to transmit documents)
• the individuals who will have access to the data
• the parties to whom and the purposes for which the data will be disclosed
• the retention period for the data, and
• how the data will be securely destroyed.

The description should also explain how the processing operations and the associated decision-making process will be documented and how the impact assessment will be reviewed and updated, for example, if there is a change in a risk relating to the processing. If the processing is to be based on the controller’s or a third party’s legitimate interests, the systematic description must include a balance test. 

Identify the envisaged measures for ensuring compliance with the General Data Protection Regulation. This should include ensuring the effective application of data protection principles and protection of data subjects’ rights and identifying the rights and freedoms related to the processing of personal data.

A. Evaluate the envisaged processing operations from the perspective of the effective application of data protection principles.

• Ensure that there is a specified, explicit and legitimate purpose for the processing of personal data.
• Identify the legal basis for the processing of personal data.
• Only process data that are necessary for achieving the purpose of the processing.
• Ensure that there are no mistakes in the data. Plan measures for correcting and deleting inaccurate and incorrect personal data.
• Determine retention periods for the personal data so that they are only kept for as long as necessary for achieving the identified objectives. Try to minimise the personal data processed as soon as possible.
• Protect the personal data by means of technical and organisational measures.

B. Ensure that the rights of data subjects are protected.

• Take measures to promote the rights of data subjects.
• Remember that the data protection rights of data subjects depend on the legal basis for the processing of personal data. Ensure that data subjects
  • are provided all relevant information
  • have access to their data and the right to move their data from one system to another
  • have the right to make corrections to their data, have their data erased, impose restrictions and object to the processing of their data.
• Identify relationships to processors and ensure conditions for cooperation to protect data subjects’ rights.
• Analyse safeguards relating to international transfers.
• If the processing of personal data involves a high risk despite the measures taken, request prior consultation with the competent data protection authority before starting to process the data.

C. Identify any other rights and freedoms that relate to the processing of personal data 

• Rights and freedoms to be protected in connection with collecting personal data (e.g. domestic privacy, confidential communications).
• Rights and freedoms relating to the purpose of the processing of personal data (e.g. property, health, right to self-determination, freedom of movement, right to be assessed on the basis of accurate information).
• Any prohibited or unintentional side effects of the processing of personal data (e.g. discrimination).

Identify the risks associated with the processing of personal data taking into account the nature, scope, context and purposes of the processing and the origin of the risk. Analyse each risk separately. Once you have identified the risks, you can evaluate the measures needed to reduce the risks and their likelihood.

• Carry out a risk assessment focusing on the rights and freedoms of data subjects relating to the envisaged processing of personal data and the associated risks.
• Identify the threats that can lead to the data being accessed unlawfully, altered without authorisation and/or being lost.
• Identify the potential consequences of the risks to data subjects.
• Assess the likelihood and severity of each risk.

The following are examples of risks relating to the processing of personal data:

• personal data breaches
  • unlawful destruction or alteration of personal data
  • accidental loss or alteration of personal data
  • unauthorised disclosure of, or access to, data
  • other loss of control over personal data
     
• risks resulting from the actions of controllers or processors
  • ambiguities in the purpose of processing or lawfulness
  • failure to follow other data protection principles
  • inadequate information security
     
• risks caused by members of staff
  • unauthorised processing of personal data
  • snooping
     
• unauthorised access or outsider influence on the processing of personal data
  • personal data having been accessed by criminal or other means
  • unauthorised use of personal data or disclosure to third parties
     
• risks not attributable to human action
• malfunctions or faults in processing hardware, software or data transmission equipment
• conventional risks relating to processing – fire, flooding and power cuts
   
• data violations relating to data processing and transmission in general
  • endangerment of data processing
  • computer break-in
  • interference in a computer system
  • interference with communications
  • damage to data
     
• offences against personal data
  • identity theft
  • secrecy offence
     
• risks to personal data 
  • nature (sensitivity and/or confidentiality)
  • incompatible purpose/context of processing
  • unauthorised processing without the controller’s consent
  • potential use of personal data for identity theft purposes, for example
  • unauthorised use of electronic services by means of unlawfully acquired user names and passwords

Identify the origin of each risk and evaluate the means to reduce the risk. Such means include, among others, the following:

• deciding not to process certain kinds of data
• specifying or limiting the scope of processing
• shortening retention periods
• adopting additional security measures based on a specific risk
• anonymisation and pseudonymisation of personal data
• adopting written processing guidelines
• increasing human contribution to automated decision-making processes
• switching to a different technology
• adopting unambiguous agreements on the exchange of information
• giving data subjects the right to prohibit processing, where possible
• adopting systems and procedures that promote individuals’ data protection rights.

Document the aforementioned steps of the process and provide reasons for the choices made and the measures taken.

Explain what measures will be taken to reduce each risk and give an estimate of whether the proposed measures eliminate, lower or control the risk. Not all risks need to, or can, be eliminated. If the impact assessment reveals that the risk involved in the envisaged processing is high and the controller is unable to lower the risk by the measures available, the controller must request prior consultation with the competent data protection authority.

Use the results of the impact assessment to plan and implement practical measures.  Once processing begins, it is important to monitor the adequacy of the chosen measures. A new impact assessment must be carried out at least if a new kind of risk emerges or if there is a change in a risk involved in the processing operations.