Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data. They are designed to be a continuous process for identifying and controlling risks. Impact assessments must be carried out before processing begins and updated if necessary.
The impact assessment procedure covers describing the envisaged processing of personal data and assessing the necessity and proportionality of the processing operations in relation to the purposes and the resulting risks as well as the measures envisaged to address the risks. An impact assessment must be carried out if the envisaged processing of personal data is likely to result in a high risk to people’s rights and freedoms.
The aim is to establish whether the remaining risk is justified and acceptable in the circumstances in question. Impact assessments help controllers to ensure, document and demonstrate their compliance with data protection regulations.
Controllers have a duty to seek advice from their data protection officer, if they have one, when carrying out impact assessments. If all or some of the responsibility for processing personal data has been given to a processor, the processor must assist in impact assessments.
Impact assessments can be carried out on individual processing operations or groups of processing operations. Multiple processing operations can only be included in the same assessment if they are similar.
A revision is required if the risks resulting from the associated processing operations change. Such changes can relate to the context or purposes of processing or the nature of the personal data (whose personal data or what personal data are being processed), the recipients of the data, the way data are combined, security measures, data transmissions beyond the EU and the EEA or the adoption of new technology.
The criteria for carrying out impact assessments also apply to ongoing processing operations launched before 25 May 2018. In other words, controllers also need to carry out impact assessments on any ongoing processing operations whenever the criteria laid down in data protection regulations are satisfied.
When is a data protection impact assessment required?
An impact assessment may be required due to
- one of the processing scenarios specified in the General Data Protection Regulation arising
- a processing operation having been added to the competent data protection authority’s list
- national laws.
Impact assessment in the case of the processing scenarios specified in the General Data Protection Regulation
An impact assessment must be carried out if the envisaged processing of personal data is likely to result in a high risk to people’s rights and freedoms. An impact assessment is especially important when the operation involves
- using new technologies
- processing on a large scale of personal data relating to criminal convictions or offences or of special categories of personal data, such as data concerning health or revealing ethnic origin, political opinions, religious beliefs or sexual orientation
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
- a systematic monitoring of a publicly accessible area on a large scale.
The Data Protection Working Party has compiled guidelines that contain more detailed instructions and practical examples of situations in which a data protection impact assessment is required. According to the guidelines, a data protection impact assessment usually also needs to be carried out if two of the following criteria are satisfied. The more criteria a processing operation meets, the more likely it is to result in a high risk from the perspective of data subjects’ rights and freedoms.
Read more about the guidelines on data protection impact assessment (pdf)
Impact assessments can also be required under national laws within the national leeway provided by the GDPR.
For example, carrying out an impact assessment and delivering it to the Data Protection Ombudsman can be a requirement for derogating from the rights of the data subject for purposes of historical and scientific research or the compilation of statistics, as provided for in section 31 of the Data Protection Act.
In this case, the impact assessment is related to a case in which the controller processes special categories of personal data or personal data related to criminal convictions and offences for purposes of historical and scientific research and wishes to derogate from certain rights of the data subject.
More information: Derogating from the rights of data subjects in the context of scientific or historical research or for statistical purposes