Data Protection Impact Assessment under the GDPR
With the introduction of the General Data Protection Regulation (GDPR), companies are required to exercise increased care in handling personal data. A key component of this process is the data protection impact assessment (DPIA). Our experts are ready to help you conduct and implement a successful DSFA.
Table of contents
A Data Protection Impact Assessment (DPIA) according to Art. 35 GDPR is a procedure used to assess the impact of certain processing operations on the protection of personal data. It is carried out to minimize the risks associated with data processing and to ensure that all data protection requirements are met. A practical example shows the importance of this procedure: by carrying out a data protection impact assessment, companies can reduce the risk of liability in the event of data leaks, cyberattacks or other data protection breaches. It also helps to avoid high fines from data protection authorities, which can occur if the rights of data subjects are not taken into account. Overall, the data protection impact assessment helps minimize both legal and financial consequences and strengthens the trust of data subjects.
The Data Protection Impact Assessment (DPIA) is of key importance for several reasons:
- Legal compliance: DPIA is a legal requirement under Article 35 of the General Data Protection Regulation (GDPR). Non-compliance can result in significant penalties, including fines of up to €20 million or 4% of annual global turnover in the previous fiscal year, whichever is greater.
- Risk mitigation: DPIA enables companies to identify potential data protection risks early and develop measures to mitigate these risks. This reduces the risk of data breaches and associated negative consequences, such as reputational damage and loss of trust.
- Data privacy through technology design and data privacy-friendly default settings: The DPIA supports the Privacy by Design and Privacy by Default principle by ensuring that data protection considerations are integrated into new projects, processes, or products from the outset.
Article 35(1) of the GDPR states that a DPIA is necessary if the planned processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons. To assess the risk of data processing, a group of experts has compiled a list of 9 criteria that increase the risk.
9 Criteria for a High-Risk Level for Data Protection
- Evaluation or classification of data subjects
- Automated decision making
- Observation, monitoring or control of data subjects (Article 35(3)(c) GDPR)
- Processing of confidential or particularly personal data
- Special categories of personal data within the meaning of Article 9 (1) or Article 10 GDPR
- Health data (Section 67 (1) SGB X)
- Social data
- Financial data
- Data processing on a large scale
- Data sets are merged from two or more processing operations
- Processing data of vulnerable data subjects
- Children
- Employees
- Citizens with special protection needs (e.g. mentally ill persons, asylum seekers, senior citizens, and patients)
- Affected persons where there is an unequal balance of power
- Use of advanced technologies or solutions such as facial recognition, IoT, AI, etc.
- Processing prevents data subjects from exercising rights or fulfilling services/contracts
A Data Protection Impact Assessment is required if the risk to data subjects is high and at least two criteria are met Supervisory authorities are obliged to publish positive lists listing the necessary processing operations. Processing activities that meet only a few criteria can also pose a high risk and therefore also require a case-by-case assessment.
Article 35(7) of the GDPR states that a DPIA must include a systematic description of the intended processing operations, assessing the necessity and proportionality of the processing in relation to the purpose, and evaluating the risks to the rights and freedoms of the data subjects.
Our team of data protection experts has prepared a detailed guide on conducting a DPIA. From identifying data processing activities to documenting and reviewing your process, we'll walk you through it step-by-step.
Step 1: Identify data processing activities
The DPIA begins by identifying any processing activities that could pose a high risk to the rights and freedoms of individuals.
Step 2: Assess the data protection risks
Assess the potential risks associated with these processing activities. Our experts will help you identify these risks and assess their consequences.
Step 3: Mitigate the risks
Develop measures to mitigate the identified risks. Our expert lawyers will assist you in selecting appropriate measures.
As companies increasingly introduce new technologies and cloud structures, a data protection impact assessment is useful to evaluate and mitigate the risks associated with the introduction of new technologies.
Practical example: Development of a health app by a technology company
A DPIA becomes relevant if your company works with health data or plans to develop systems or apps that process sensitive data. As health data is particularly worthy of protection, the data protection requirements are particularly high at this point. It therefore not only helps to meet the legal requirements but also strengthens users' trust in the security of their data.
Need help with the DPIA?
Hear it From Our Customers
"heyData impressed us with their digital software solution and expertise. Like us, heyData is a digital pioneer in a rather traditional and less digital industry. heyData is a strong partner for the BRZ Group."
Markus Schobert
Head of Customer Service at BRZ Gruppe
"heyData is a great help for us and makes the topic of data protection really easy. We are very satisfied with the digital audit, the online training and the customer support."
Leonard von Kleist
CTO & Co-Founder at Hive Technologies GmbH
"I value this feature for its ability to simplify supplier risk assessment. It is an indispensable tool for anyone dealing with data compliance in the European Union and Switzerland."
Jan Stephan
Head of Legal Affairs at Learnship
"As a customer, we have only had good experiences with heyData's support and communication. Questions were answered in detail, responses were always prompt and personal 1-1 support is also no problem."
Roman Georgi
Director Of Customer Support at AMBOSS
"It is a flexible solution that could be ideally tailored to our needs. Now everything is always up to date in terms of data protection."
Frank
Sales at Frank GmbH
"We always receive competent and prompt advice from heyData and have so far been able to find a satisfactory solution to every question relating to the GDPR or data protection in general."
Nikolai
CTO at Instaffo GmbH
Frequently asked questions
The frequency of carrying out a data protection impact assessment depends on several factors, including the type of data processing, the occurrence of changes or new risks, and the privacy relevance of the processing. In general, it is advisable to review and update the DPIA on a regular basis.
Article 35(2) of the GDPR states that the "controller" shall conduct the DPIA. As a rule, the data controller is responsible for carrying out the data protection impact assessment and for involving the advice of the data protection officer, internal or external.
Failure to conduct a required data protection impact assessment can result in significant penalties under the GDPR, including fines of up to €10 million or 2% of the global annual turnover of the previous fiscal year, whichever is greater.
The DPIA usually consists of three main parts:
- A systematic description of the planned data processing operations and the purposes of the processing.
- An assessment of the necessity and proportionality of the processing operations in relation to the purpose.
- An assessment of the risks to the rights and freedoms of data subjects and the mitigation measures, safeguards and mechanisms envisaged to mitigate those risks.
A DPIA is necessary when data processing involves a high risk to the rights and freedoms of data subjects, such as sensitive data. The processing of sensitive data requires a careful assessment of the associated risks and potential impact on privacy to ensure compliance with data protection requirements, such as:
- Comprehensive processing of biometric data to uniquely identify natural persons
- Comprehensive processing of genetic data
- Comprehensive processing of data on the location of data subjects.
The data protection officer plays an essential role in the performance of the DPIA. He or she advises the controller or processor on how to conduct the DPIA, reviews the results, and ensures that the DPIA is conducted in compliance with the GDPR.
Not all companies are obliged to conduct a DPIA. The obligation to conduct a DPIA arises from Article 35 of the GDPR and only concerns processing operations that involve a high risk to the rights and freedoms of natural persons, in particular when using new technologies.
Although it is possible to perform a DPIA yourself, it is often advisable to consult a data protection law expert or a data protection officer due to the complexity of the requirements of the GDPR.
The GDPR provides a set of guidelines for conducting a DPIA. It is important that you familiarize yourself with these guidelines and incorporate them into your DPIA. In addition, consulting with an external data protection expert or data protection officer can help ensure compliance.