Impact assessment

Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data.

The impact assessment procedure covers describing the envisaged processing of personal data and assessing the necessity and proportionality of the processing operations in relation to the purposes and the resulting risks as well as the measures envisaged to address the risks. The aim is to establish whether the remaining risk is justified and acceptable in the circumstances in question. Impact assessments help controllers to ensure, document and demonstrate their compliance with data protection regulations.

Controllers have a duty to seek advice from their data protection officer, if they have one, when carrying out impact assessments.  If all or some of the responsibility for processing personal data has been given to a processor, the processor must assist in impact assessments.

Impact assessments can be carried out on individual processing operations or groups of processing operations. Multiple processing operations can only be included in the same assessment if they are similar. 

Impact assessments are designed to be a continuous process for identifying and controlling risks. Impact assessments must be carried out before processing begins and updated if necessary. A revision is required at least if the risks resulting from the associated processing operations change. Such changes can relate to the context or purposes of processing or the nature of the personal data (whose personal data or what personal data are being processed), the recipients of the data, the way data are combined, security measures, data transmissions beyond the EU and the EEA or the adoption of new technology.

The criteria for carrying out impact assessments also apply to ongoing processing operations launched before 25 May 2018. In other words, controllers also need to carry out impact assessments on any ongoing processing operations whenever the criteria laid down in data protection regulations are satisfied.

When is a data protection impact assessment required?

An impact assessment may be required due to

  • one of the processing scenarios specified in the General Data Protection Regulation arising
  • a processing operation having been added to the competent data protection authority’s list
  • national laws.  

Impact assessment in the case of the processing scenarios specified in the General Data Protection Regulation

An impact assessment must be carried out if the envisaged processing of personal data is likely to result in a high risk to people’s rights and freedoms. An impact assessment is especially important when the operation involves

  • using new technologies
  • processing on a large scale of personal data relating to criminal convictions or offences or of special categories of personal data, such as data concerning health or revealing ethnic origin, political opinions, religious beliefs or sexual orientation
  • a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
  • a systematic monitoring of a publicly accessible area on a large scale.

Data Protection Working Party’s impact assessment guidelines

The Data Protection Working Party has compiled guidelines that contain more detailed instructions and practical examples of situations in which a data protection impact assessment is required pursuant to the General Data Protection Regulation.

According to the guidelines, a data protection impact assessment usually also needs to be carried out if two of the following criteria are satisfied.  The more criteria a processing operation meets, the more likely it is to result in a high risk from the perspective of data subjects’ rights and freedoms.

Criteria for assessing the likelihood of a high risk

List compiled by the Office of the Data Protection Ombudsman of processing operations in connection with which an impact assessment is required

Pursuant to the General Data Protection Regulation, data protection authorities have a duty to establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment (GDPR, Article 35(4)). The Office of the Data Protection Ombudsman updates and revises its list as necessary. A copy of the list is also given to the European Data Protection Board.

The Office of the Data Protection Ombudsman has decided that the following processing operations require an impact assessment.

1. Whenever genetic data are being processed

Genetic data are personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. (GDPR, Article 4(13))

2. When personal data are processed in connection with so-called whistleblowing systems

Whistleblowing systems give organisations’ staff or other parties an opportunity to report unethical conduct, practices that are contrary to the organisation’s values or internal infringements anonymously. Whistleblowing systems can be used, for example, to ensure that the principles of an organisation’s decision-making and supervision system are followed in its daily administration.

3. When a controller forgoes informing data subjects based on Article 14(5)(b) of the General Data Protection Regulation

An impact assessment must be carried out if a controller obtains personal data from sources other than data subjects and forgoes the duty to inform the data subjects pursuant to Article 14 of the General Data Protection Regulation because

  • the provision of such information proves impossible (in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes)
  • the provision of such information would involve a disproportionate effort (in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes)
  • the provision of such information is likely to render impossible or seriously impair the achievement of the objectives of the processing.

National laws

Impact assessments can also be required under national laws within the national leeway provided by the EU’s General Data Protection Regulation.