How to "data privacy impact assessment"

Without exception, every company, whether medium-sized or large, must regularly ask itself how effective data protection compliance can be ensured. In addition to generally known terms such as the data protection notices or the so-called processing directory, the data protection impact assessment in particular can be seen as an effective tool for the comprehensive evaluation of a specific data processing operation.

Although a large number of processes ultimately have to be subjected to a data protection impact assessment, we encounter problems, misconceptions and difficulties in dealing with this procedure surprisingly often in our consulting practice. This is sometimes due to the fact that many companies are not really aware of what information a data protection impact assessment actually has to depict. In addition, care should be taken to ensure that the respective explanations - despite the technical complexity of some procedures - remain comprehensible for the reader (and possibly also the supervisory authority). In order to provide you with an initial "support" in this respect, the most important aspects are outlined below.

The facts

Article 35(1) of the General Data Protection Regulation (GDPR) provides for the performance of a data protection impact assessment for certain "forms of processing" likely to result in a high risk to the rights and freedoms of natural persons by virtue of the use of new technologies, the nature, scope, context and purposes of the processing. Although a risk assessment must always be carried out on the basis of all the circumstances of the individual case, there are some aids that enable a corresponding assessment.

First of all, Article 35 (3) of the GDPR lists various cases in which a data protection impact assessment must be performed. This concerns, for example, the systematic extensive monitoring of publicly accessible areas (classic example: video surveillance). As can be seen from the wording of the standard ("in particular"), the explicitly listed cases are not exhaustive. In addition, there is a so-called "must list" (cf. Art. 35 (4) GDPR), in which the data protection supervisory authorities prescribe the mandatory performance of a data protection impact assessment. The case groups developed in this context were not determined "arbitrarily", but were developed on the basis of some predefined "risk criteria" from Working Paper 248 of the Art. 29 Data Protection Working Party. These include, for example, data processing on a large scale and the processing of confidential or highly personal data. The more of the respective "risk factors" are present, the sooner a data protection impact assessment should be conducted.

Ultimately, the relevant constellations are regularly fields of application which, according to a healthy "gut feeling", (can) already lead to a corresponding (high) risk for data subjects. It is therefore obvious that, for example, biometric control systems, video surveillance systems or hospital information systems are associated with the performance of a data protection impact assessment.

The Content of a Data Protection Impact Assessment

If a data controller comes to the conclusion that a data protection impact assessment must be carried out, Article 35 (7) of the GDPR specifies a number of points that must be covered. In addition to a systematic description of the planned processing operations, the purposes pursued, an assessment of necessity and proportionality, and (as the "centerpiece") a risk analysis together with the remedial measures taken must also be presented.

In particular, the clarification and presentation of the facts is of central importance. In particular, the data controller should determine which other parties are involved in the data processing operation (e.g., processors), which "life cycle" the data in question go through, especially which hardware and software components (including further interfaces to other systems) are involved, over which period of time the data are stored, and who has or can have access to the data. In particular, supposedly "unimportant" details, such as support services in third countries (e.g., in the case of remote access), can lead to considerable data protection risks. Only when the aforementioned circumstances, among others, have been established beyond doubt can it be assessed which risks actually exist in the respective data processing operation. The determination of a legal basis under data protection law and the assessment of whether data processing is necessary and proportionate also requires a complete clarification of the facts.

Risk assessment

A risk is measured by the relationship between the severity of a (conceivable) loss and its probability of occurrence. In order to assess the risks that actually exist, a company can be guided in particular by the matrix created for this purpose by the Data Protection Conference in Brief Paper No. 18.

In the cited brief paper, a risk is understood to be "the existence of the possibility of the occurrence of an event which itself constitutes harm (including unjustified interference with the rights and freedoms of natural persons) or which may lead to further harm to one or more natural persons". According to Recital 75 of the GDPR, psychological, material and immaterial damage are conceivable.

First of all, it is therefore necessary to focus on the expected damage. Recital 85 of the GDPR lists typical groups of cases: Loss of control over one's own data, restriction of rights, discrimination, identity theft or fraud, financial losses, cancellation of pseudonymization, damage to reputation, violation of professional secrecy or other significant economic or social disadvantages.

If one considers the individual (non-exhaustive) damage items, then in addition to their severity, it must also be examined in each individual case what probability of occurrence is to be expected overall. In this context, it is particularly important to clarify which conceivable causes exist that could lead to a corresponding loss. There are a large number of conceivable case constellations here, including hacking attacks, (internal) misuse of data, or weaknesses in system quality. In order to enable an efficient assessment of the probability of occurrence, it is also necessary to take into account technical and organizational measures that have already been taken or are planned as defined in Article 32 (1) of the GDPR.

If one takes a thorough look at the aforementioned criteria, one quickly comes to the conclusion that conducting a data protection impact assessment is not a simple task and that a large number of factors must be taken into account. On the other hand, however, it must also be taken into account that the respective document is not "overloaded" and remains comprehensible for the reader.

Methodical approach as an effective support

To shed some "light on the darkness" at this point, we can first reassure you. With the right planning and approach, a data protection impact assessment can be carried out efficiently. Based on our experience in the automotive industry and the healthcare sector, among others, we have developed effective methods that serve to clarify the relevant facts and take into account the classic issues. We can also draw on a wide range of sample documents, legal tech applications and empirical values for the relevant legal issues. If a data protection impact assessment is planned correctly and then carried out effectively, one or the other stumbling block in data protection compliance can be eliminated and a practicable solution found.

We would be happy to assist you in this regard.