Impact assessment

Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data.

The impact assessment procedure covers describing the envisaged processing of personal data and assessing the necessity and proportionality of the processing operations in relation to the purposes and the resulting risks as well as the measures envisaged to address the risks. The aim is to establish whether the remaining risk is justified and acceptable in the circumstances in question. Impact assessments help controllers to ensure, document and demonstrate their compliance with data protection regulations.

Controllers have a duty to seek advice from their data protection officer, if they have one, when carrying out impact assessments.  If all or some of the responsibility for processing personal data has been given to a processor, the processor must assist in impact assessments.

Impact assessments can be carried out on individual processing operations or groups of processing operations. Multiple processing operations can only be included in the same assessment if they are similar. 

Impact assessments are designed to be a continuous process for identifying and controlling risks. Impact assessments must be carried out before processing begins and updated if necessary. A revision is required at least if the risks resulting from the associated processing operations change. Such changes can relate to the context or purposes of processing or the nature of the personal data (whose personal data or what personal data are being processed), the recipients of the data, the way data are combined, security measures, data transmissions beyond the EU and the EEA or the adoption of new technology.

The criteria for carrying out impact assessments also apply to ongoing processing operations launched before 25 May 2018. In other words, controllers also need to carry out impact assessments on any ongoing processing operations whenever the criteria laid down in data protection regulations are satisfied.

When is a data protection impact assessment required?

An impact assessment may be required due to

  • one of the processing scenarios specified in the General Data Protection Regulation arising
  • a processing operation having been added to the competent data protection authority’s list
  • national laws.  

Impact assessment in the case of the processing scenarios specified in the General Data Protection Regulation

An impact assessment must be carried out if the envisaged processing of personal data is likely to result in a high risk to people’s rights and freedoms. An impact assessment is especially important when the operation involves

  • using new technologies
  • processing on a large scale of personal data relating to criminal convictions or offences or of special categories of personal data, such as data concerning health or revealing ethnic origin, political opinions, religious beliefs or sexual orientation
  • a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
  • a systematic monitoring of a publicly accessible area on a large scale.

Data Protection Working Party’s impact assessment guidelines

The Data Protection Working Party has compiled guidelines that contain more detailed instructions and practical examples of situations in which a data protection impact assessment is required pursuant to the General Data Protection Regulation.

According to the guidelines, a data protection impact assessment usually also needs to be carried out if two of the following criteria are satisfied.  The more criteria a processing operation meets, the more likely it is to result in a high risk from the perspective of data subjects’ rights and freedoms.

Criteria for assessing the likelihood of a high risk

List compiled by the Office of the Data Protection Ombudsman of processing operations which require data protection impact assessment (DPIA)

Updated 21.12.2018

Article 35 (1) GDPR requires a DPIA when the processing activity is likely to result in a high risk to the rights and freedoms of natural persons.

Article 35 (3) GDPR provides a non-exhaustive list of types of processing that require a DPIA.

According to General Data Protection Regulation article 35(4) GDPR the supervisory au-thority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a DPIA.

Nature of the list

This list is not exhaustive.

Reference to the guidelines

This list of processing operation which require DPIA is further specifying article 35.1 in General Data Protection Regulation. List is based on the of Working Party 29 WP 248 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether pro-cessing is "likely to result in a high risk" for the purposes of Regulation 2016/679. This list complements and further specifies these guidelines.

The Finnish Data Protection Ombudsman requires DPIA in following processing activities:

Biometric data

Without prejudice to article 35(3) GDPR, DPIA must be done when biometric data is processed for the purpose of uniquely identifying a natural person in conjunction with at least one other following criteria:

  • biometric data is processed for evaluation or scoring of the data subject
  • processing of biometric data is aims automated-decision making with legal or similar significant effect
  • processing of biometric data is used systematic monitoring of data subjects
  • biometric data is processed on a large scale
  • processing of biometric data includes matching or combining datasets
  • processed biometric data is concerning vulnerable data subjects
  • biometric data is processed in innovative use or applying new technological or organizational solutions
  • processing of biometric data prevents data subjects from exercising a right or using a service or a contract

Genetic data

Without prejudice to article 35(3) GDPR, DPIA must be done when genetic data is processed in conjunction with at least one other following criteria:

  • genetic data is processed for evaluation or scoring of the data subject
  • processing of genetic data is aims automated-decision making with legal or similar significant effect
  • processing of genetic data is used systematic monitoring of data subjects
  • genetic data is processed on a large scale
  • processing of genetic data includes matching or combining datasets
  • processed genetic data is concerning vulnerable data subjects
  • genetic data is processed in innovative use or applying new technological or organizational solutions
  • processing of genetic data prevents data subjects from exercising a right or using a service or a contract

Location data

DPIA must be done when location data is processed in conjunction with at least one other following criteria:

  • location data is processed for evaluation or scoring of the data subject
  • processing of location data is aims automated-decision making with legal or similar significant effect
  • processing of location data is used systematic monitoring of data subjects
  • location data processed reveals sensitive data or data of a highly personal nature
  • location data is processed on a large scale
  • processing of location data includes matching or combining datasets
  • processed location data is concerning vulnerable data subjects
  • location data is processed in innovative use or applying new technological or organizational solutions
  • processing of location data prevents data subjects from exercising a right or using a service or a contract

Exceptions to information to be provided to the data subject according to article 14.5 gdpr

DPIA must be done when personal data is collected personal data from a source other than the individual without providing them with a privacy notice because of application of article 14 5 b GDPRin conjunction with at least one other following criteria:

  • personal data is processed for evaluation or scoring of the data subject
  • processing of personal data aims automated-decision making with legal or similar significant effect
  • processing of personal data is used systematic monitoring of data subjects
  • sensitive personal data or data of a highly personal nature is processed
  • personal data is processed on a large scale
  • processing of personal data includes matching or combining datasets
  • processed personal data is concerning vulnerable data subjects
  • personal data is processed in innovative use or applying new technological or organizational solutions
  • processing of location data prevents data subjects from exercising a right or using a service or a contract

Processing of personal data in whistleblower systems

Whistleblowing systems give organisations’ staff or other parties an opportunity to report unethical conduct, practices that are contrary to the organisation’s values or internal infringements anonymously. Whistleblowing systems can be used, for example, to ensure that the principles of an organisation’s decision-making and supervision system are followed in its daily administration.