Your browser has javascript turned off or blocked. This will lead to some parts of our website to not work properly or at all. Turn on javascript for best performance.

The browser you are using is not supported by this website. All versions of Internet Explorer are no longer supported, either by us or Microsoft (read more here: https://www.microsoft.com/en-us/microsoft-365/windows/end-of-ie-support).

Please use a modern browser to fully experience our website, such as the newest versions of Edge, Chrome, Firefox or Safari etc.

Data protection impact assessment

When is a data protection impact assessment necessary?

If it is likely that a planned processing of personal data will entail a high risk for the data subjects’ freedoms and rights, the University needs to carry out a data protection impact assessment.

A list of the processing that requires a data protection impact assessment can be found on the Swedish Authority for Privacy Protection website List regarding when an impact assessment is to be carried out – Swedish Authority for Privacy Protection (imy.se) The list is not exhaustive. If there is uncertainty about whether an assessment is needed, the data protection officer can be contacted for guidance.

What is the purpose of a data protection impact assessment?

A data protection impact assessment helps the University to ensure that the requirements of the General Data Protection Regulation (GDPR) are fulfilled. It is also a way to show the supervisory authority that the GDPR is being observed.

A data protection impact assessment also gives the University an understanding of the consequences and risks of personal data processing and can be helpful in assessing which security measures are needed or which technical solutions should be chosen.

Taking a position on such issues at an early stage also reduces the risk of the University starting a processing procedure that must be changed later because it does not fully meet the GDPR requirements.

How is a data protection impact assessment carried out?

Work on a data protection impact assessment should start as soon as it is practically possible and be updated as the various parts of the processing are confirmed. Using the assessment as a tool in planning can also make it easier to take the right decision on issues that are important from a privacy perspective, for example:

  • how much data is to be collected?
  • which legal basis is being applied?
  • for what purpose is the data being processed?

The data protection officer provides a template for carrying out a data protection impact assessment, gives advice during the process and monitors implementation of the assessment.

Do not consider a data protection impact assessment to be a one-off procedure, but as an ongoing process that needs to be continuously reviewed and updated. Using this approach, it will be easier to note and incorporate the privacy aspect in all parts of personal data processing.

Further information

You can read about data protection impact assessments on the Swedish Authority for Privacy Protection website Impact assessments and prior consultation – Swedish Authority for Privacy Protection (imy.se)

Contact

For questions about personal data and data protection, please contact:

Kristin Asgermyr
Data Protection Officer, Legal Counsel
dataskyddsombud [at] lu [dot] se
+46 46 222 04 26