A practical guide to assessing the impact of data protection

Recently, the Autoritat Catalana en Protecció de Dades Catalan Data Protection Authority (ADPCAT) published a Practical Guide to Impact Assessment on data protection in order to help managers and those responsible comply with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the protection of individuals with regard to the processing and free movement of personal data (hereinafter RGPD).

One of the new aspects introduced by the RGPD is the obligation on those who are responsible for processing data to assess the impact of data processing on the protection of personal data, when it is possible that the processing may pose a significant risk to individuals’ rights and freedoms.

Therefore, when data processing, by its nature, scope, context or ends poses a high risk to the rights and freedoms of natural persons, especially when new technologies are used, the controller must first carry out a Data Protection Impact Assessment (DPIA).

In such cases, the controller must seek the advice of the Data Protection Officer (DPO). This advice and any decisions taken must be documented in the DPIA. Specifically, the person in charge of processing data must ask the DPO for their opinion regarding the following: whether it is necessary to carry out a DPIA, the methodology used to carry out the DPIA, determine whether it is appropriate to carry out the DPIA internally or if it is better to outsource it, the measures taken to protect individual’s rights and freedoms and to determine whether the DPIA has been carried out correctly, and whether its conclusions meet the data protection requirements.

In order to facilitate compliance with the GDPR, as established under Article 35.4 of the RGPD, the authorities have published on their website a list of the types of data processing which require an impact assessment concerning data protection. Nevertheless, the list is not exhaustive and it will be periodically updated. Therefore, the fact that a form of processing does not appear on the list does not mean that a DPIA should not be carried out. Therefore it will be necessary to verify with the DPO whether any processing will pose a risk to the rights and freedoms of individuals, especially if it involves new technologies.

For more information please read the Practical Guide to assessing the impact of data protection and the template for assessing the impact of data protection at the following link.