Data protection impact assessment (impact assessment)
Data protection impact assessment
A data protection impact assessment is a procedure designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them. It is an important tool for accountability, as it helps controllers not only to comply with the requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with such requirements. In other words, an impact assessment is a process for building and demonstrating compliance. Carrying out an impact assessment is not mandatory for every processing operation. It is only mandatory when the processing is likely to result in a high risk to the rights and freedoms of natural persons.
When a data protection impact assessment is mandatory
An impact assessment is mandatory if the processing is likely to result in a high risk to the rights and freedoms of natural persons. Anyway, the mere fact that the conditions triggering the obligation to carry out an impact assessment have not been met does not, however, exempt controllers from the general obligation to implement measures to appropriately manage risks to the rights and freedoms of data subjects. The controllers need to constantly assess the risks that their data processing activities may imply, so that they can identify when a type of processing is likely to result in a high risk to the rights and freedoms of data subjects.
A risk is a scenario describing an event and its consequences, estimated in terms of severity and likelihood.
«The rights and freedoms of natural persons» concern not only the rights to data protection and privacy, but may also involve other fundamental rights, such as freedom of speech and thought, freedom of movement, prohibition of discrimination, rights to freedom, conscience and religion.
The GDPR identifies when an impact assessment is required, but it is only a general indication and encourages the national supervisory authorities to establish and made available a list of the kind of processing operations which are subject to the obligation:
1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
2. processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences
3. a systematic monitoring of a publicly accessible area on a large scale.
The Italian supervisory authority has issued a list of kind of processing operations entailing an impact assessment.
Who is obliged to carry out an impact assessment
It is up to the controller to ensure that an impact assessment is carried out. Carrying out an impact assessment may be done by someone else, but the controller remains responsible for this obligation. The controller should also seek the DPO‘s advice (if appointed) and such advice and the decisions taken by the controller should be documented within the impact assessment. The DPO should also control the impact assessment process. If processing activities are performed by processors, these processors should assist the controller in carrying out the impact assessment and provide all information necessary for this obligation, taking into account their tasks.
How and when to analyse the risk
As already mentioned, a risk is a scenario describing an event and its consequences, estimated in terms of severity and likelihood with respect to the rights and freedoms of data subjects.
The risk assessment does not have to be confused, or better, limited to the security measures, which are only a part to be taken into account. Elements to be considered are origin, nature, severity, likelihood and impact on the rights and freedoms of data subjects. The sum of these elements determines the level of the risk.
The risk assessment as regards the security measures should consider, among others:
1. availability of data (destruction, loss, unavailability)
2. integrity (alteration)
3. confidentiality (disclosure, communication, dissemination and unlawful or unauthorised access to data).
The risk assessment as regards the set of effects and consequences should consider, among others:
1. loss of control over personal data by data subjects
2. damage to reputation and identity theft
3. it is impossible to data subjects to exercise their rights
4. it is impossible to data subjects to freely decide services and opportunities
5. economic and financial loss
6. discrimination
7. physical and psychological damage
8. other relevant economic and social disadvantage.
The Italian Data Protection supervisory authority has issued – in cooperation with CNIL (French supervisory authority) – a free downloadable software (Italian version) to help carry out an impact assessment.
The impact assessment should be carried out in the design of the processing operations even if some of the processing operations are still unknown. Updating the impact assessment during processing will ensure that data protection and privacy are considered and will encourage the creation of solutions which promote compliance. Carrying out an impact assessment is a regular process and is not a one-time exercise. The impact assessment is an ongoing process, especially where a processing operation is dynamic and subject to ongoing change.
If the controller considers that the processing operation is not likely to result in a high risk to the rights and the freedoms of data subjects and does not carry out an impact assessment, the controller should document in writing such decision, describing the reasons.
Where an impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, it is required to consult the supervisory authority prior to carrying out the processing activities. As a part of the consultation process, it is required to submit to the supervisory authority the outcome of the impact assessment carried out and the envisaged measures to mitigate the risk.
How to manage and prevent risk
It is impossible to eliminate the risk, but to meet the principle of accountability, any feasible and reasonable organisational and technological tool should be applied to minimise and mitigate the risk. As a matter of fact, risk management can be defined as a coordinated set of activities aimed at preventing and monitoring risks.
Technological measures:
1. physical and logical security policies
2. regular update of software and security systems
3. tests on information technology tools used
4. access control and tracking of operations.
Organisational measures:
1. determining roles and responsibility
2. regular governance and audit
3. internal policies, instructions and procedures
4. training
5. procedures which ensure that data subjects can easily exercise their rights, contact details and means of contact.
Other general criteria (linked to the principles relating to processing of personal data):
1. data minimisation
2. anonymisation, pseudonymisation, encryption of data
3. safe keeping of data, storage limitation of data
4. data quality (accuracy, adequacy, updating, rectification, relevance, necessity of processing).
What the impact assessment should contain
Art. 37, par. 7, GDPR requires that the impact assessment shall contain, at least:
1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller: maybe, it is the least complex part to develop because it is sufficient to indicate the purposes of data collection and processing and if such processing is based on the legitimate interest as a condition of lawfulness of processing, alternative or jointly with the other conditions set out in art. 6, GDPR
2. an assessment of the necessity and proportionality of the processing: here begin the most complex parts to be analysed, because the controller should decide whether personal data processing is really necessary to pursue the purposes envisaged and if, on the contrary, the same purposes can be achieved by using methodologies which do not require to process personal data (e.g.: using anonymous data – if a survey or a questionnaire is envisaged, assess whether it is essential that identifying data should be collected and the purpose of the survey can be achieved all the same)
3. an assessment of the risks to the rights and freedoms of data subjects: it is the most critical part of the analysis for the impact assessment. It requires to have methodologies and criteria appropriate and suitable to assess the risk which data processing may imply for the rights and freedoms of data subjects, not only for the confidentiality of their personal data but also for the alleged behavioural conditioning which processing may induce or to its likely consequences
4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned: though processing impact and the consequent alleged risk may recall only technical security measures, it is here required to take into account all the procedures – so, also, organisational ones – which are envisaged to mitigate the risk to data subjects.
Further information can be added if considered to be important to the analysis.
Also this obligation, inexorably, given the information to be collected and to be analysed to perform it properly, recalls the controller’s responsibility with respect to the decisions taken (accountability).
What methodology to use to carry out an impact assessment
Supervisory authorities have made available software to carry out an impact assessment. Nonetheless, the methodology to apply is set out in the GDPR which lists the minimum features:
1. a general description of the envisaged processing operations and the purposes of the processing
2. an assessment of the necessity and proportionality of the processing
3. an assessment of the risks to the rights and freedoms of data subjects
4. the measures envisaged to address the risk and to demonstrate compliance with the GDPR.
The flow of the methodology can be summarised in:
1. description of the envisaged processing
2. assessment of the necessity and proportionality of data processing
3. measures regularly envisaged and applied
4. assessment to the risk to the rights and freedoms of data subjects
5. measures envisaged to address the risk
6. documentation of the procedure
7. control and review of the impact assessment.
Criteria for an acceptable impact assessment
To assess whether or not an impact assessment is sufficiently comprehensive to comply with the GDPR, it is suggested describing:
1. systematic description of the processing activity (nature, context and purposes of data processing, personal data processed, recipients and the envisaged period of storage, hardware, software, networks, people, paper forms or paper transmission channels)
2. assessment of necessity and proportionality of the processing (specified, explicit and legitimate purposes, legal bases for the processing, adequacy, relevance of data, limited storage duration)
3. measures which help to respect rights of data subjects
4. management of the risks to the rights and the freedoms of data subjects (risk assessment, as for the consequences of the risk and security measures, origin, nature, severity and particularity of the risks, and more specifically for each risk, measures envisaged to manage the risk)
4. advice of the DPO.
To learn more, read FAQs or contact me.
Leave a Reply