Impact assessment
Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data. They are designed to be a continuous process for identifying and controlling risks. Impact assessments must be carried out before processing begins and updated if necessary.
The impact assessment procedure covers describing the envisaged processing of personal data and assessing the necessity and proportionality of the processing operations in relation to the purposes and the resulting risks as well as the measures envisaged to address the risks. An impact assessment must be carried out if the envisaged processing of personal data is likely to result in a high risk to people’s rights and freedoms.
The aim is to establish whether the remaining risk is justified and acceptable in the circumstances in question. Impact assessments help controllers to ensure, document and demonstrate their compliance with data protection regulations.
Controllers have a duty to seek advice from their data protection officer, if they have one, when carrying out impact assessments. If all or some of the responsibility for processing personal data has been given to a processor, the processor must assist in impact assessments.
Impact assessments can be carried out on individual processing operations or groups of processing operations. Multiple processing operations can only be included in the same assessment if they are similar.
A revision is required if the risks resulting from the associated processing operations change. Such changes can relate to the context or purposes of processing or the nature of the personal data (whose personal data or what personal data are being processed), the recipients of the data, the way data are combined, security measures, data transmissions beyond the EU and the EEA or the adoption of new technology.
The criteria for carrying out impact assessments also apply to ongoing processing operations launched before 25 May 2018. In other words, controllers also need to carry out impact assessments on any ongoing processing operations whenever the criteria laid down in data protection regulations are satisfied.
When is a data protection impact assessment required?
An impact assessment may be required due to
- one of the processing scenarios specified in the General Data Protection Regulation arising
- a processing operation having been added to the competent data protection authority’s list
- national laws.
Impact assessment in the case of the processing scenarios specified in the General Data Protection Regulation
An impact assessment must be carried out if the envisaged processing of personal data is likely to result in a high risk to people’s rights and freedoms. An impact assessment is especially important when the operation involves
- using new technologies
- processing on a large scale of personal data relating to criminal convictions or offences or of special categories of personal data, such as data concerning health or revealing ethnic origin, political opinions, religious beliefs or sexual orientation
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
- a systematic monitoring of a publicly accessible area on a large scale.
The Data Protection Working Party has compiled guidelines that contain more detailed instructions and practical examples of situations in which a data protection impact assessment is required. According to the guidelines, a data protection impact assessment usually also needs to be carried out if two of the following criteria are satisfied. The more criteria a processing operation meets, the more likely it is to result in a high risk from the perspective of data subjects’ rights and freedoms.
Read more about the guidelines on data protection impact assessment (pdf)
Criteria for assessing the likelihood of a high risk
Evaluation or rating of data subjects’ performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (including profiling and predicting).
For example:
- Financial institutions that evaluate their customers in light of a reference database relating to lending, a database relating to the prevention of money laundering and terrorist financing or a database concerning fraud.
- Biotechnology companies that advertise genetic testing directly to consumers in order to evaluate and predict the likelihood of diseases or health risks.
- Businesses that compile behavioural or marketing-related profiles that are based on the use of their website or activities on their website.
Automated decision-making where the decisions produce legal effects or other significant effects.
Personal data are sometimes collected in circumstances where the data subjects do not necessarily know who is collecting their data and how the data will be used. Moreover, it can be impossible for individuals to prevent finding themselves in this kind of a situation in public spaces or publicly accessible areas. Monitoring can refer to, for example, access control, CCTV monitoring or similar measures.
For example:
- Processing of data for the purpose of observing, tracking or monitoring data subjects and the collection of data via networks.
- Systematic monitoring of a publicly accessible area on a large scale.
This refers to, for example, the special categories of personal data referred to in the General Data Protection Regulation as well as personal data relating to criminal convictions and offences. Other data that can satisfy this criterion include personal documents, such as e-mails, diaries, e-reader notes and highly personal data held in lifelogging applications.
For example:
- Public hospitals that keep patient records.
- Private investigators who hold data on criminal offenders.
- Electronic communications that should be confidential.
- Geographical positioning data the collection of which can undermine free movement.
- Financial data that can be used for means of payment fraud.
- Collecting data on customers’ suspicious conduct on online shopping sites.
The question of whether the data subject or a third party has already made the data public can be important in this context. There is no established definition for what constitutes data having been made public, and a case-by-case assessment is always needed. The fact that personal data have been made public can be relevant for the assessment, if the plan has been to use the data for specific purposes in the future.
Assessments of scale should ideally take into account the following:
- the number of data subjects concerned, either as an exact number or a percentage of a group, such as the population of a town or country
- the volume of the data to be processed and/or the number of individual units of data
- the duration or permanence of the data processing operation
- the geographical scope of the processing operation.
Coordinating or combining of data sets in a manner that is unforeseen and unexpected from the perspective of data subjects.
For example:
- A controller combines data sets originating from two or more data processing operations carried out for different purposes or by different controllers.
- Customer registers or two businesses are combined in connection with a merger.
It can be difficult for data subjects to, for example, prevent the processing of their data or exercise their other rights if they are vulnerable in respect of the controller.
Vulnerable individuals include, among others,
- children
- employees
- patients
- elderly people
- asylum seekers.
The use of new technology can involve innovative ways of collecting and using data, which can result in a high risk to the rights and freedoms of individuals. For example, certain Internet-of-Things (IoT) applications can have a significant impact on the daily lives and privacy of individuals, which is why a data protection impact assessment is required.
For example:
- Combining fingerprints and face recognition in order to improve access control.
- Blocking of data subjects’ rights, services or agreements.
- The aim of the processing of personal data is to give or deny data subjects the right to use a service, enter into an agreement or make changes to their rights.
For example:
- Banks that evaluate their customers in light of a reference database relating to lending in order to decide whether to give them a loan.
National laws
Impact assessments can also be required under national laws within the national leeway provided by the GDPR.
For example, carrying out an impact assessment and delivering it to the Data Protection Ombudsman can be a requirement for derogating from the rights of the data subject for purposes of historical and scientific research or the compilation of statistics, as provided for in section 31 of the Data Protection Act.
In this case, the impact assessment is related to a case in which the controller processes special categories of personal data or personal data related to criminal convictions and offences for purposes of historical and scientific research and wishes to derogate from certain rights of the data subject.
More information: Derogating from the rights of data subjects in the context of scientific or historical research or for statistical purposes