Data protection impact assessment
When is a data protection impact assessment necessary?
If it is likely that a planned processing of personal data will entail a high risk for the data subjects’ freedoms and rights, the University needs to carry out a data protection impact assessment.
A list of the processing that requires a data protection impact assessment can be found on the Swedish Authority for Privacy Protection website List regarding when an impact assessment is to be carried out – Swedish Authority for Privacy Protection (imy.se) The list is not exhaustive. If there is uncertainty about whether an assessment is needed, the data protection officer can be contacted for guidance.
What is the purpose of a data protection impact assessment?
A data protection impact assessment helps the University to ensure that the requirements of the General Data Protection Regulation (GDPR) are fulfilled. It is also a way to show the supervisory authority that the GDPR is being observed.
A data protection impact assessment also gives the University an understanding of the consequences and risks of personal data processing and can be helpful in assessing which security measures are needed or which technical solutions should be chosen.
Taking a position on such issues at an early stage also reduces the risk of the University starting a processing procedure that must be changed later because it does not fully meet the GDPR requirements.
How is a data protection impact assessment carried out?
Work on a data protection impact assessment should start as soon as it is practically possible and be updated as the various parts of the processing are confirmed. Using the assessment as a tool in planning can also make it easier to take the right decision on issues that are important from a privacy perspective, for example:
- how much data is to be collected?
- which legal basis is being applied?
- for what purpose is the data being processed?
The data protection officer provides a template for carrying out a data protection impact assessment, gives advice during the process and monitors implementation of the assessment.
Do not consider a data protection impact assessment to be a one-off procedure, but as an ongoing process that needs to be continuously reviewed and updated. Using this approach, it will be easier to note and incorporate the privacy aspect in all parts of personal data processing.
You can read about data protection impact assessments on the Swedish Authority for Privacy Protection website Impact assessments and prior consultation – Swedish Authority for Privacy Protection (imy.se)
For questions about personal data and data protection, please contact:
Data Protection Officer, Legal Counsel
dataskyddsombud [at] lu [dot] se
+46 46 222 04 26