Data Protection Impact Assessment (DPIA): Risk assessment according to Article 35 GDPR
The Data protection impact assessment (DSFA) is in Article 35 GDPR and is a risk analysis that applies to the description and assessment of risks prior to the processing of certain data. The data protection impact assessment is a complex process within data protectionwhich does not have to be carried out prior to every data processing activity, but in the case of particularly critical processing operations which either use a certain automated system, or individual-related data special categories (according to Article 9 and the Article 10 of the GDPR). By assessing the risk during processing, this should be reduced.
The risk analysis or impact assessment for data processing already existed in the BDSG (old). The corresponding procedure was regulated in Section 4d (5) and (6) and required prior checking as soon as automated processing processes entailed a particular risk for the rights and freedoms of the data subjects.
When is a data protection impact assessment necessary?
In the General Data Protection Regulation Article 35 provides a general description of the three cases that require a data protection impact assessment in each case:
- systematic and comprehensive assessment personal aspects of natural persons which are related to automated processing including Profiling and which in turn serves as the basis for decisions which have legal effect vis-à-vis natural persons or affect them in a similarly significant way;
- extensive processing of special categories personal data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10 (e.g. health data), or
- Systematic comprehensive monitoring publicly accessible areas (e.g. video surveillance);
In addition, the GDPR further provides that data protection supervisory authorities shall publish a list of processing activities that present a high risk to the rights and freedoms of individuals and for which a DPIA is therefore strictly necessary. Within Germany, the respective supervisory authorities of the federal states have both positive as well as negative lists published.
- Positive list of the Data Protection Conference (DSK) DPIA for non-public bodies
- Overview of the BvD on positive lists of the data protection supervisory authorities of the federal states
- Negative list of the Bavarian State Commissioner for Data Protection
- Blacklist of the Bremen State Commissioner for Data Protection
These positive and negative lists are not to be regarded as exhaustive and are continuously adapted by the German data protection supervisory authorities. For orientation, it is worthwhile to take a look at the website of the responsible data protection authorities. data protection supervisory authorities.
How should the data protection impact assessment be carried out?
At what point should the DPIA be carried out?
A data protection impact assessment is a complex process of before starting processing must be carried out. However, existing processing activities must also be reviewed to determine whether they also fall under the obligation of a DPIA. The Data Protection Conference (DSK) assesses the preparation of a DPIA as relatively time-consuming and recommends its implementation, supported by a data protection management system. Especially since the preparation of the data protection impact assessment is not a one-time process, but rather a continuous process of preparation, execution, implementation and review. The assessment of risks per processing activity is linked to the Robin Data Software possible.
How is the data protection impact assessment linked to the inventory of processing activities?
The directory of processing activities contains all data processing processes of your company. The better the documentation of the processing activities, the easier the subsequent data protection impact assessment. Accordingly, the directory is also the starting point for the DPIA and the risk assessment of the respective processing activity and the classification of whether the respective processing activity requires a data protection impact assessment is carried out directly in this directory.
Creation of a register of processing activities for your company
Assessment of the risks of the processing activities on the basis of a checklist
Preparation of DIA for high risk processing activities
What are the contents of a data protection impact assessment?
The risk description
according to Article 35 of the GDPR a systematic description of the processing operations envisaged and the purposes of the processing, including, where relevant, the legitimate interests pursued by the controller, including an assessment of the necessity and proportionality of the processing operations in relation to the purpose.
The risk treatment
an assessment of the risk to the liberties of the persons concerned by classifying the probability of occurrence and the level of damage, and a final evaluation of the risk. In addition, measures to minimise or manage the risks.
Who needs to carry out a data protection impact assessment?
According to Article 35(1) GDPR the controller must carry out the data protection impact assessment. Since the DPIA is a complex process, the data protection officer can assist in its implementation, as described in Article 35(2) of the GDPR. This only applies in the event that a data protection officer has been appointed. Read in our Article more on the appointment of a data protection officer.
What can happen if companies do not perform a DPIA?
Insofar as a company does not carry out a data protection impact assessment, although this would be necessary, in the mildest case there is the threat of warnings and in the worst case fines by the data protection supervisory authorities. Thus, according to Article 83(4) of the GDPR fines for breaches of provisions relating to data protection impact assessment of up to EUR 10 million or, in the case of an undertaking, of up to 2 % of its total annual worldwide turnover in the preceding business year, whichever is the greater.