Data Protection Academy » Data Protection Wiki » Data Protection Impact Assessment (DPIA)

A man does his data protection impact assessment (DPIA) under Article 35 GDPR on a tablet

Data Protection Impact Assessment (DPIA) according to Article 35 DSGVO

The data protection impact assessment (DSFA) is in Article 35 GDPR and is a risk analysis that applies to the description and assessment of risks prior to the processing of certain data. The data protection impact assessment is a complex process within data protectionwhich does not have to be carried out prior to every data processing activity, but in the case of particularly critical processing operations which either use a certain automated system, or individual-related data special categories (according to Article 9 and the Article 10 of the GDPR). By assessing the risk during processing, this should be reduced.

The risk analysis or impact assessment for data processing already existed in the BDSG (old). The corresponding procedure was regulated in Section 4d (5) and (6) and required prior checking as soon as automated processing operations entailed particular risks for the rights and freedoms of the data subjects.

Most important information about the data protection impact assessment (DPIA):

  • With the GDPR, data controllers are obliged to carry out a risk analysis for data processing.
  • This risk analysis is the basis for deciding whether a data protection impact assessment (abbreviated to "DPIA") must be prepared if a high risk arises
  • The legal requirements for DPIA are set out in the Article 35 GDPR described
  • Certain organisations are obliged to carry out a DSFA
  • The data protection supervisory authorities have drawn up lists of processing activities for which a DSFA must or must not be carried out
  • The performance of the DPIA as well as the implemented measures to reduce identified risks are part of the documentation and accountability obligation pursuant to Art. 5 para. 2 GDPR
  • The data protection officer shall assist the controller in carrying out the DSFA according to the Art. 35 (2) DSGVO support

Whitepaper Implementing data protection impact assessment step-by-step in line with data protection requirements

Whitepaper: Implementing data protection impact assessment step-by-step in a data protection-compliant manner

In the whitepaper Data protection impact assessment step-by-step data protection compliant implementation you will find:

  • Get information on the Definition of the data protection impact assessment
  • Understand the Legal requirements from Article 35 of the GDPR
  • Learn the minimum legal requirements to know about a DSFA
  • Learn how to work in only 6 Steps Implement a data protection impact assessment
  • Including The Muss lists of the DSK and the BfDI

What is a data protection impact assessment?

The Data protection impact assessment or "DPIA" for short is an instrument of the General Data Protection Regulation (GDPR)to protect personal data in processing activities. This protection is ensured through risk analysis, which is used to examine the possible consequences of processing operations. Therefore, the DIA is also considered part of data protection risk management. The background of data protection law is described in Article 35 of the GDPR defined.

The aim of carrying out a DPIA is to take appropriate protective measures in the form of technical and organisational measures at an early stage in order to reduce the probability of occurrence of the identified risks.

The standard examples pursuant to Article 35 (3) of the GDPR: When is a data protection impact assessment mandatory?

Every company should check planned data processing operations to see whether they entail a risk to the rights and freedoms of natural persons. However, not every processing activity entails the obligation to carry out a data protection impact assessment.

In the General Data Protection Regulation in Art. 35 Para. 3 is a general description of the three so-called "examples of rules" which require a data protection impact assessment in any case:

  • Systematic and comprehensive assessment personal aspects of natural persons which are related to automated processing including profiling and which in turn serves as the basis for decisions which have legal effect vis-à-vis natural persons or affect them in a similarly significant way;
  • Extensive processing of special categories personal data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10 (e.g. health data), or
  • Systematic comprehensive monitoring publicly accessible areas (e.g. video surveillance);

From these three points, three cases can be derived in which public and non-public bodies are obliged to carry out a DSFA prior check:

  • Credit reporting agencies that deal with personal scoring procedure work
  • Organisations that systematically monitor publicly accessible rooms by video
  • Organisations that collect, store and process data relating to criminal offences and criminal convictions

At what point should the DPIA be carried out?

A data protection impact assessment is a complex process of before starting processing must be carried out. However, existing processing activities must also be reviewed to determine whether they also fall under the obligation of a DPIA. The Data Protection Conference (DSK) assesses the preparation of a DPIA as relatively time-consuming and recommends its implementation, supported by a data protection management system. Especially since the preparation of the data protection impact assessment is not a one-time process, but rather a continuous process of preparation, execution, implementation and review. The assessment of risks per processing activity is linked to the Robin Data Software possible.

What is the must list of a data protection impact assessment according to Art. 35 (4) GDPR?

According to Art. 35 (4) DSGVO data protection supervisory authorities shall be obliged to publish a list of the processing operations for which a data protection impact assessment is to be carried out in accordance with paragraph 1. The supervisory authority shall communicate those lists to the Committee referred to in Article 68.

You will find an Overview of the must-do lists per federal state you will find in the section Publications and downloads.

If a processing activity is included in the list, a data protection impact assessment must be carried out for it. The lists of the supervisory authorities are continuously extended and are therefore not to be regarded as conclusive. As a matter of principle, controllers must check whether one of the cases from Art. 35 (3) DSGVO or a high risk according to Art. 35 para. 1 DSGVO is available.

Note

We continuously incorporate the current status of the positive and negative lists of the data protection supervisory authorities into our Robin Data software. So you have all the information in one place.

What are the minimum contents of the data protection impact assessment pursuant to Article 35 (7) of the GDPR?

According to Art. 35 (7) DSGVO are the minimum requirements for carrying out an impact assessment described as follows:

  1. a systematic description of the intended processing operations and the purposes of the processing, including, where appropriate, the legitimate interests pursued by the controller;
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purpose;
  3. an assessment of the risks to the rights and freedoms of the data subjects referred to in paragraph 1; and
  4. the mitigating measures envisaged to address the risks, including safeguards, security measures and procedures to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects.

Carrying out the data protection impact assessment in 6 steps

Step 1: Planning and analysis of the processing activity

The data protection impact assessment should be carried out before the introduction of the processing activity. As a first step, data controllers should therefore collect and describe planned processing activities and then check them by means of risk analysis. Existing processing activities must also be checked to see whether they also fall under the obligation of a data protection impact assessment. The preparation of the data protection impact assessment should not be regarded as a one-off process, but as a continuous process within data protection management.

Step 2: Check the need for a DPIA

The following approach is recommended:

  • Check: Is the processing activity part of the "Must-List" of the competent supervisory authority)
  • If not: If one of the points under Art. 35 (3) DSGVO to the processing activity?
  • If not: Is there a high risk according to Art. 35 para. 1 DSGVO before? (Carry out the Threshold analysis)
  • If not: No data protection impact assessment needs to be carried out

Step 3: Assessment of processing activities by means of threshold analysis

The register of processing activities contains all data processing processes of your company. The better the documentation of the processing activities, the easier the subsequent data protection impact assessment. Accordingly, the directory is also the starting point for the DPIA and, at best, the following is done directly in it threshold analysis of the respective processing activity and the classification of whether the respective processing activity requires a data protection impact assessment.

  • Controllers can assess whether a DIA needs to be carried out for processing activities by means of a systematic risk assessment, the so-called threshold analysis.
  • The results of the threshold analysis are part of the data protection documentation
  • It is recommended to document the threshold analysis in the respective processing activity
  • The preliminary stage of a risk analysis is an assessment of the need for protection of the personal data to be processed based on the types of data (customer data, employee data, tax data, health data, etc.).

A data protection impact assessment is necessary for a processing activity if the majority of the threshold analysis criteria are fulfilled. The criteria are taken from the WP 248 Rev. 01 to classify processing operations and are the following:

  • Data of vulnerable data subjects are processed
  • Transfer of personal data outside the EU takes place
  • Novel technologies are used
  • Scoring, profiling, evaluation of persons is carried out
  • Data files of personal data are compared or merged
  • Systematic monitoring of persons is carried out
  • Personal data on a large scale are processed
  • Impeded exercise of data subjects' rights exists
  • Sensitive personal data are processed (Pursuant to Art. 9 DSGVO)
  • Automated individual case decisions are carried out

Step 4: Assess the existing risks

Once the existing risks have been identified on the basis of the processing activities in the company, the level of risk to the rights and freedoms of natural persons must be assessed. For this purpose, the following aspects (Recital 75 of the GDPR) in more detail:

  • Probability of occurrence and amount of damage: The probability of occurrence and the amount of damage of a risk can be classified as negligible, low, medium or high.
  • Danger to the civil liberties of those affected: The processing of personal data that does not comply with data protection law can have far-reaching consequences. It can lead to physical, material or non-material damage. In particular, if the processing leads to discrimination, identity theft or fraud, financial loss, damage to reputation, and more.
  • Assessment of the risk: On the basis of the possible consequences for the civil liberties of those affected, the overall risk for those affected must be assessed. The consequences for those affected range from no impairment, no particular impairment, impairment of reputation, existence or even danger to life, limb or personal freedom.
  • Risk minimisation measures: Based on the previous steps, measures must therefore be defined with the help of which the existing risk can be avoided, transferred or mitigated.
  • Implementation effort: The effort of the measures to be implemented should also be included. Measures should be implementable with a proportionate effort in relation to the purpose, risk and possibilities of the responsible party.
  • Risk assessment after the measure has been taken: Controllers then assess whether the risk has been adequately reduced on the basis of the measures implemented. If the risk has not been adequately reduced, the processing activity concerned may not be continued.

Step 5: Selection of suitable measures to reduce the risks

The identified risks must be reduced or even prevented by appropriate measures. For this purpose, appropriate technical or organisational measures are selected, assessed and implemented. If it turns out during implementation that planned measures are not effective or sufficient to reduce the risks, new measures must be selected or the processing activities must be adapted. After the measures have been established, they are tested for their effectiveness.

Step 6: Documentation of the data protection impact assessment carried out

According to Art. 5 para. 2 GDPR the controller is obliged to comply with a documentation and accountability obligation by which compliance with the General Data Protection Regulation must be demonstrated to the supervisory authority. The documentation of the data protection impact assessment carried out and a confirmation of the effectiveness of the implemented measures are important building blocks for fulfilling this obligation.

What can happen if companies do not perform a DPIA?

Insofar as a company does not carry out a data protection impact assessment, although this would be necessary, in the mildest case there is the threat of warnings and in the worst case fines by the data protection supervisory authorities. Thus, according to Article 83(4) of the GDPR fines for breaches of provisions relating to data protection impact assessment of up to EUR 10 million or, in the case of an undertaking, of up to 2 % of its total annual worldwide turnover in the preceding business year, whichever is the greater.

Is the implementation of the DPIA the responsibility of the data protection officer?

According to Article 35(1) GDPR the controller must carry out the data protection impact assessment. Since the DSFA is a complex procedure, the Data Protection Officer during the implementation according to Art. 35 (2) DSGVO support. This only applies in the event that a data protection officer has been appointed.

Support in the implementation of DPIAs

Implementing the various legal and normative requirements of data protection impact assessment can seem complicated. Regular reviews and updates of processing activities and data subject risk assessment are an essential part of your data protection management system. Our Data Protection Officers (DPOs) are happy to help you implement your DPIAs. Find out about the benefits, process and costs with Robin Data.

Data protection impact assessment with Robin Data software

Import processing activities

The special thing about Robin Data is that the data protection software already has thousands examples and templates from the area of data protection. These have been added to our database by Robin Data's data protection officers and lawyers. Software entered into the system. You can import the processing activities that apply to your company from the Robin Data database with just a few clicks.

Import the processing activity templates into your data protection documentation

Perform threshold analysis

Use the online form to assess the risks posed to data subjects by this processing activity. As a rule of thumb, a data protection impact assessment is required if at least 2 or more of the following criteria are met fulfilled. If necessary, it is necessary to prepare a data protection impact assessment.

Import the processing activity templates into your data protection documentation

Carry out a data protection impact assessment

You can create several DPIAs per processing activity and thus treat several risks of this procedure separately. In many cases, it may be appropriate to prepare only one DPIA per procedure. You develop the necessary contents of the data protection impact assessment step by step and establish relevant contents for risk treatment.

Technical or organisational measures

Search Robin Data's database for suitable risk reduction measures and import them into your data protection documentation. You can store the selected measures directly with the corresponding processing activity.

Implement data protection documentation on the side

By working out the relevant steps for a data protection impact assessment in the Robin Data software, you document them simultaneously and automatically. You can export important components such as the list of processing activities as a PDF from the software and save it locally. In this way, you comply with the verification and accountability obligations of the GDPR and are prepared for an inspection by a data protection supervisory authority.

Visit our free demos

We regularly offer online demos in which we introduce you to our Robin Data data protection software. Get insight into the structure and functional scope of the digital activity report of the Robin Data software. Our experts will give you and other interested parties comprehensive insight and answer your questions.

Publications and downloads

The Federal Data Protection Commissioner's "must list" for data protection and information security

Data Protection Conference

Bavaria

The "must lists" of other federal states

*Refers for the non-public area to the DSK List

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Find out what pseudonomised data is according to GDPR and what you have to observe in terms of data protection law.
What are personal data in data protection? What must be observed when processing in accordance with DSGVO?
the roles, powers and responsibilities of data protection supervisory authorities. Contact person for your federal state.