Carry out data protection impact assessments

A data protection impact assessment (DPIA) evaluates the risks of data processing for data subjects on their freedoms in a processing activity. 

 

Background

A data protection impact assessment (DPIA) evaluates the risks of data processing for data subjects and their civil liberties in a processing activity.

According to Art. 35 GDPR, a DPIA is always required if: 

Where, by virtue of the nature, scope, context and purposes of the processing, a form of processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular where new technologies are used, the controller shall carry out a prior assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may be carried out to examine several similar processing operations with similar high risks.

Risks to the freedoms of data subjects are always present when, after the processed personal data become known, there are serious effects on the pursuit of an untroubled life. Possible examples are: 

• Profiling or prognosis of economic situation
• Profiling or prognosis of preferences or interests
• Disclosure of medical records and diagnostic data

These are stored in the Robin Data Software.

According to Art. 35 (7), the DPIA contains at least the following aspects, which are included in the Robin Data Software: 

1. "a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
3. an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned."

The objective of the DPIA is to systematically identify and assess the risks of data processing and define measures to prevent, shift or mitigate the risk.

Each risk must be appropriately reduced or shifted. If this is not the case, the process may not be used. 

Procedure

A data protection impact assessment is a very complex process. All of the above risks must be identified and assessed for a specific processing activity.

You can create several DPIAs per processing activity and thus treat several risks of this procedure separately. In many cases, it may be appropriate to create only one DPIA per procedure.

Guidance from the Data Protection Conference can be found here. We recommend implementing the DPIA together with a data protection expert. 

Manage data protection impact assessments

1. In the main menu click on Data protection: A dropdown menu will open. 
2. In the dropdown menu click on Data protection impact assessments: The table view will open.

The general functionality of the table view is described in the article Using the table view.

In the table view you can see the overview of the currently already created DPIAs.

Create data protection impact assessments

1. In the main menu click on Data protection: A dropdown menu will open. 
2. In the dropdown menu click on Data protection impact assessment: The table view will open.
3. Select the button +Risk: A quick start input mask opens in which the title can be recorded.
   
4. Fill out the fields of the quick start input mask.
5. Click on Edit: An empty input mask will open.
6. Fill out the input mask.
7. Click on Save: The DPIA has been created.

Data areas of the input mask

The left form area has the following data areas:

• Document ID: Assign a document ID to the processing activity, the use of document IDs serves the system-wide unique marking and identification of documents (more information on the help page "Documented Information").

• Risk description: in this area you define the risk or risks for the processing activity. 
• Risk treatment: This is where you assess the risk and define concrete measures on how to mitigate this risk.

Data area: Risk description

This data area hast the following form fields: 

• Title: Describe in a short sentence what risk you want to analyse.
• Processing activity concerned: Select the procedure for which you are conducting this data protection impact assessment.
• Purpose of processing: The purpose corresponds to the documented purpose of the procedure under consideration here. This can only be changed directly in the selected procedure.
• Legitimate interest: The legitimate interest corresponds to the documented legitimate interest of the procedure under consideration here. This can only be changed directly in the selected procedure.
• Description of the risk: Describe the risk in short bullet points or sentences. 
• Proportionality of purpose: Document the proportionality or likelihood of the risk occurring. 

Data area: Risk treatment

This data area has the following form fields: 

• Probability of occurrence: Assess the likelihood of the risk occurring.
• Danger to the freedoms of data subject: Estimate the risks to the civil liberties of data subjects if this risk occurs.
• Risk assessment: Assess the overall impact of the risk on the data subjects.
• Risk mitigation measures: Define measures to avoid, transfer or mitigate this risk.
• Implementation effort: Estimate the effort required to implement the measures. Measures should be implementable with a proportional effort in relation to the purpose, risk and possibilities of the responsible party.
• Risk assessment by measure: Assess whether the risk has been adequately reduced on the basis of the measures implemented. If the risk has not been adequately reduced, the associated procedure must not be operated.

The right form area has the following data areas:

• Status: Record the status and release cycle of the data protection impact assessment.
• Governance Tab: The Governance Tab is equally available in several documents in the Robin Data software. It offers the possibility to record various basic parameters for the respective document. a more detailed explanation can be found in the article Manage Governance Content.
• Activity Tab: This tab displays all the activities associated with your record. To create an activity, click the Create Activity button in the upper right corner. This will open a new input form, for a more detailed explanation please refer to the article Use input masks with forms.
• Attachments tab: In this tab you can add related documents by clicking the Add Attachment button.  For a more detailed explanation, see the article Use input masks with forms.
• External Links Tab: In this tab you can link related information using the Add external link button.  For a more detailed explanation, see the article Use input masks with forms.

Data area: Status

In this data area it is possible to manage the status of a document and to map the release procedure of this document. 

• A DPIA is usually created by one person, for example the employee of a specialist department.
• In addition to this person, another person should check whether the procedure complies with the law. This can be done by the data protection officer, for example.
• At the end of the chain, someone must officially approve the DPIA. This can be done, for example, by the supervisor.

This data area hast the following form fields: 

• Status: Enter the current processing status of the DPIA.
• Performed by: Enter the person who created this DPIA.
• Performed on: Enter the date on which the creation of this DPIA was completed.
• Tested by: Enter the person who reviewed this DPIA.
• Tested on: Enter the date on which the review of this DPIA was completed.
• Released by: Enter the person who released this DPIA.
• Released on: Enter the date this DPIA was released for use.
• Notes: Add notes to the DPIA.