GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

Article 35(3) of the GDPR

Data Protection Impact Assessment (DPIA)

Companies shall carry out a Data Protection Impact Assessment (DPIA) where there is a high risk to the rights and freedoms of data subjects when processing their personal data. 

Data protection impact assessment is mandatory in some cases

In some cases, it is mandatory for companies to establish a Data Protection Impact Assessment (DPIA). These cases are set out in Article 35(3) of the GDPR.

For example, when a company carries out large-scale processing of sensitive personal data. The same applies to automated decision-making processes that include profiling, or systematic monitoring of a public space on a large scale. 

What breaches of the GDPR can lead to an administrative fine?

What content should a data protection impact assessment include?

Processing

The impact assessment shall describe the processing of the personal data. For example, the categories of personal data such as sensitive or other privacy-sensitive personal data, the scope of the processing, the life cycle of the personal data (from collection to erasure), etc.

What is the definition of anonymised data?

Purpose and legal basis

Companies must always have a clear and specific purpose for the processing, as well as an applicable legal basis. The impact assessment should include information on the purpose and legal basis. In addition, it is useful to analyse whether the purpose is proportionate.

Subjektivt integritetskänsliga personuppgifter

Risk analysis

The impact assessment shall include a risk analysis from the perspective of the data subjects. In other words, what consequences a possible personal data breach may have for the data subjects. Note that it should include both the likelihood of breaches occurring and the severity of the consequences.

Sensitive personal data according to GDPR

Security measures

Companies must take adequate security measures, both technical and organisational. Therefore, in order to minimise the risks of the processing to which the impact assessment relates, the company shall take appropriate security measures and they should be included in the impact assessment.

Measures that companies need to take to comply with GDPR

Residual risk

The company shall analyse the residual risks following the security measures taken by the company.

What is the definition of anonymised data?

Documentation

Be sure to carry out a written impact assessment, instead of mental or oral. The GDPR requires companies to demonstrate compliance with the GDPR in practice, in accordance with the principle of accountability in Article 5(2) of the GDPR. This means, among other things, that the company must keep written documentation of its GDPR work.

Subjektivt integritetskänsliga personuppgifter

Follow-up

Since GDPR is a living process, it is not always enough to just draw up documents, but it may require updating and follow-up. It is useful to analyse the processing to which the impact assessment relates on a regular basis, for example once a year, to see if the risks have changed.

If the risk remains high, the company shall request a prior consultation

If, after carrying out an impact assessment, the risk to the rights and freedoms of data subjects remains high, the company shall request a prior consultation of the national data protection authority. 

Role of employees in carrying out a data protection impact assessment

It is not only the lawyer or/and the data protection officer who will carry out the impact assessment. It is good to also include some other employees in the company. For example, staff from the IT department who can describe and explain the systems, and a manager who describes the work processes and the purpose. By having a clear division of roles and well-founded information from all appropriate employees, it is more likely that the measures will be based on a good foundation. 

Re-perform or update a data protection impact assessment

In some cases, the company needs to re-perform or update the impact assessment. Companies must analyse the risks of the personal data processing when changes occur. For example, when the company starts using new technical solutions, expands the target group, new practices or legislation in the field, etc. 

Do not forget to consult the Data Protection Officer

If the company has a Data Protection Officer (DPO), which some companies must have under the GDPR, they should be consulted when the company conducts an impact assessment. This requirement is set out in Article 35(2) of the GDPR.  

Learn more

Impact assessment of data transfers

Companies shall carry out a Data Transfer Impact Assessment (DTIA) prior to a transfer of personal data to a third country lacking an adequate level of protection. A third country is a country outside the EU/EEA area, and only the European Commission can decide that a third country has an adequate level of protection. In addition, companies must carry out a Data Transfer Impact Assessment in case of an indirect transfer. For example, if the company uses a cloud service to process personal data and it, in turn, operates outside the EU/EEA area.

Want to learn more?

Read more
Scroll to Top