Index

Data protection impact assessment - the legislation (short summary)

In certain circumstances it is mandatory to carry out a "data protection impact assessment" - in short DPIA. A DPIA is a procedure to evaluate whether the processing of personal data entails risks for the rights and freedoms of the person whose data is processed and how these risks can be controlled.

Article 35.2 of the GDPR states that a data protection impact assessment is required in the following cases:

  1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
  2. processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10
  3. a systematic monitoring of a publicly accessible area on a large scale

The WP29 has drawn up a list of nine factors that help to assess if there is a high risk. The more factors that are present in the processing, the greater the chance that there is a high processing risk. You have to assess on a case-by-case basis whether the risk is high and if a DPIA is therefore necessary. These nine criteria are:

  1. Evaluation or scoring
  2. Automated-decision making with legal or similar significant effect
  3. Systematic monitoring
  4. Sensitive data - special categories of data (Ref. Art. 9 en Art. 10)
  5. Data processed on a large scale
  6. Datasets that have been matched or combined
  7. Data concerning vulnerable data subjects
  8. Innovative use or applying technological or organisational solutions
  9. When the processing in itself "prevents data subjects from exercising a right or using a service or a contract "

The GDPR sets out the minimum features of a DPIA (Article 35(7), and recitals 84 and 90):

  • a description of the envisaged processing operations and the purposes of the processing
  • an assessment of the necessity and proportionality of the processing
  • an assessment of the risks to the rights and freedoms of data subjects
  • the measures envisaged to
    • address the risks
    • demonstrate compliance with this Regulation

The following figure illustrates the generic iterative process for carrying out a DPIA

GEB Cyclus

A "risk" is a scenario that describes an event and its consequences (in relation to the rights and freedoms of natural persons), estimated in terms of severity and probability. Severity goes from a critical situation (eg: there is considerable, real damage to a number of people involved) to moderate (eg minor or procedural problem that does not lead to significant damage). Probability is about the likelihood of a risk occurring (ranging from probable to unlikely).

Back to the top

Data protection impact assessment - how it works in Tools4Gdpr

The Tools4GDPR application allows you to make a simple preparatory analysis for a data protection impact assessment (DPIA). The data register gives a detailed and clear description of the processes and corresponding goals. The DPIA module allows you to display which data is being tracked. The combination of the register and the list of data that you keep allows you to make an assessment of the proportionality of the processing with regard to the goals.

You also have the opportunity to make an assessment of the risks to the rights and freedoms of those involved and to indicate which measures have been taken to limit these risks.

Furthermore, the module allows you to indicate whether you are processing special categories of personal data (Art.9, Art.10) and which exception rule you use to process this data.

To create structure within a DPIA, different levels are defined:

  • Each DPIA has different Systems
    • Different Data Groups can exist within each system
      • Different Data can exist within each data group

  1. A system

    A system consists of an assembly of one or more components (data groups) that together perform a certain function. Keeping track of personnel data in a paper file can be regarded as a system. If you also store the same data digitally via a software, then that is another system. (Although both systems may contain the same data groups/data, they are considered as 2 different systems because they both contain different risks)

    For each system you can indicate whether the system performs processing that falls under the processing operations that involve a high level of risk. Then you can determine which risks are involved in using the system and how you evaluate these.

    Each system is divided into three sections: Description of the system, the processing types and the risk assessment.

    1. Description of the System

      The following data must be completed and saved:

      System Name of the system
      Data Subject Select the data subject who fits for this system from the list of data subjects
      Description Description of the system
      Remarks Remark about the system
      Location Where is the data of this system stored
      Protection General description how the data is protected in this system

    2. Processing types

      Processing types indicate which types of processing operations are carried out that may involve a high risk. You can add different processing types for each system.

      Naam Beschrijving
      Processing type Select a processing type from the list. (Processing types can be created via setup of Processing types.
      Remarks In the comment you can give a clarification (detailed description) about the entered processing type

    3. Risk assessment

      For the Risk assessment, a combination of 3 elements must always be entered. You can enter multiple combinations if necessary for the given system.

      Naam Beschrijving
      Risks Select a risk for the processing from the list. (Risks can be created via setup of Risks.
      Severities Select the severity of the risk on the given system from the list. (Levels of severity can be created via setup of Severities.
      Likelihoods Select from the list the likelihood that a risk will occur for the given system. (Likelihood levels can be created via setup of Likelihoods.
      Remark Here you can possibly display a more extensive description in connection with the risks and the actions taken

  2. Datagroup

    A data group consists of a collection of Data. A data group also belongs to a System.

    For each data group you can determine whether the data in the group belong to one of the special categories of personal data (Art 9 and 10). (Tip: this is a way to combine data groups). If the group is assigned a special category, it is also necessary to indicate which Processing exception rule you apply for processing the data anyway.

    Each data group is divided into two parts: Description of the data group and the determination of whether you are working with sensitive data (special category of data and exception rules).

    1. Description of the datagroup

      The following data must be entered and saved:

      Naam Beschrijving
      System Select from the list the System to which this data group belongs. (Systems can be created via setup of Systems.
      Datagroup Name of the datagroup
      Description Description of de datagroup
      Remarks You can enter a comment about the data group
      Storage periods Select from the list the general retention period that is valid for this data group. (Retention periods can be created via Set-up of Storage periods

    2. Sensitive data

      Sensitive data shows whether you are processing special categories of data, and what are the processing exception rules used.

      For the sensitive data section, a combination of 3 elements must always be entered. You can enter multiple combinations if necessary for the given datagroup.

      Naam Beschrijving
      Special categories Select a Special Categories from the list. (Special Categories can be created via setup of Special categories.
      Processing exception rule Select a Processing Exception Rule from the list. (Processing Exception rules can be created via setup of Processing exception rules.
      Remarks In the comment you can give a clarification (detailed description) about the special category of data and/or the exception rule

  3. Data

    A given is the description of the specific data being processed. Examples of data are: Name, First name, Salary, Bank account number, ... This is NOT about the content of the data, but about the description of the data that is kept or processed.

    Data is grouped into Datagroups.

    1. Description of the data

      The following data must be completed and saved:

      Naam Beschrijving
      Datagroup Select from the list the Data groups to which this field belongs. (Data groups can be created via Set-up of Datagroups
      Data name Name of the data
      Description Description of the data
      Remarks You can enter a comment about the data
      Storage periods Select from the list the storage periods the one tha is valid for this data group. (Storage periods can be created via Set-up of Storage periods.
      Start date Start date since processing this data
      Stop date Date since when you no longer process this data
      Sensitive data Check if this data group contains sensitive data

  4. Acces to the data

    Access to the data allows you to specify which user groups or specific users have Access to the data to which data groups and/or specific data.

    User Groups and Users can be created via the setup.

    To select specific user groups or systems, you can set a filter. You choose one or more user groups and/or one or more systems. By pressing the "Filter" you can only display the data you have filtered. To see all the data again, click the "All" buttons.

    To indicate which user group or user has access to which data groups or data you have to tick the respective tick.

Back to the top

Data protection impact assessment - Set-up tables

  • Risk Types

    Risk Types are a way to group Risks. Different Risks can be grouped per Risk Type. During the installation of the program an indicative list with some Risk Types are included. Note: this list does not cover all situations. You can also change, add or remove items from this list.

    Naam Beschrijving
    Risk Type Name of the Risk Type
    Description Description of the Risk Type

    Risks

    During the installation of the program an indicative list with some Risks are included. Note: this list does not cover all situations. You can also change, add or remove items from this list.

    Naam Beschrijving
    Risk Type Select the Type from the list of Risk Types that fits the risk you want to enter. (Risk Types can be created via setup of Risk Types)
    Risk Name of the risk
    Description Description of the risk

    Severities

    Naam Beschrijving
    Severity Name of the severity
    Description Description of the severity

    Likelihoods

    Naam Beschrijving
    Likelihood Name of the Likelihood
    Description Description of the likelihood

    Processing types

    Processing types indicate which types of processing operations are carried out that may involve a high risk. During the instalation of the program an indicative list is included in which some Risks are included. Note: this list is based on the initial list in WP29. Note: this list does not cover all situations. You can also change, add or remove items from this list.

    Naam Beschrijving
    Processing type Name of the processing type
    Description Description of the processing type

    Special Category Types

    Special Category Types are a way to group a Special Categories of personal data. SeeSpecial Categories).

    Naam Beschrijving
    Special Category Type Name of the Special Category Type
    Description Description of the Special Category Type

    Special categories

    Special Categories (Art 9 and 10) are personal data that can not be processed unless a processing exception rule is in effect. During the instalation of the program a list is included in which the Special Categories are included. Note: this list does not cover all situations. You can also change, add or remove items from this list.

    Naam Beschrijving
    Special categories Types Select from the list of Special Category Types the Type that fits for the Special Category you want to enter. (Special Category Types can be created via setup of Special Category Types).
    Special Category Name of the special category
    Description Description of the special category

    Processing exception rules

    Exception rules indicate whether particular categories of data may be processed. During the instalation of the program a list is included in which the Processing Exception Rules are included. Note: this list is based on the initial list in Art.9. You can also change, add or remove items from this list.

    Naam Beschrijving
    Processing exception rule Name of the processing exception rule
    Description Description of the processing exception rule

    Users groups

    User groups are a way to group Users.

    Naam Beschrijving
    User group Name of the User group
    Description Description of the User group

    Users

    It is not intended to add user names, but rather functions that have access to the data.

    Naam Beschrijving
    User Group Select from the list of User Groups the group to which the user belongs. (User groups can be created via setup of User Groups).
    User Name of the user (function)
    Description Description of the user (function)
    Start Date Start date of the user
    End Date End date of the user

Back to the top