GDPR - Assessments
Different types of assessments
There are several different types of assessments that companies may need to make before processing personal data in accordance with the GDPR. For example, impact assessments or legitimate interest assessments.
Impact assessments prior to processing
If any processing of personal data may result in high risks to the rights and freedoms of data subjects, the company shall carry out an impact assessment before the processing takes place.
This is stated in Article 35 of the GDPR. If the company does not carry out an impact assessment when necessary, it can lead to consequences, in the worst case a fine.
Purpose of an impact assessment
The purpose of conducting an impact assessment is to investigate whether the processing is permitted under the GDPR and how the company should prevent the risks that the processing poses to the data subjects.
What should be included in an impact assessment?
Description
It shall contain a systematic description of the processing of the personal data. The same applies to the purpose of the processing.
Proportion
The company shall assess whether the processing of personal data is proportionate to the purpose of the processing.
Risks to data subjects
The risks that the processing may pose to the rights and freedoms of data subjects.
Measures to minimise risks
The measures that the company has planned to take to minimise the risks.
If the company has a data protection officer
Some companies need to appoint a data protection officer (DPO). Companies that have a data protection officer shall always consult the data protection officer when carrying out an impact assessment.
Examples of different types of impact assessments that companies may need to carry out
Risk assessment before new processings of personal data
Companies should carry out a risk assessment before starting new processings of personal data. The same applies when they introduce new technologies or systems to existing processes. The assessment shall determine the risks and consequences that the processing may entail for the data subjects. In addition, the analysis and assessment shall include the safeguards to be taken by the company to minimise the risks.
Data Protection Impact Assessment (DPIA)
If the processing of personal data poses a high risk to the rights and freedoms of data subjects, the company must conduct and document a Data Protection Impact Assessment (DPIA). In this case, the company shall evaluate the risks and safety measures, in order to minimise the risks of the processing. It is particularly important to carry out a Data Protection Impact Assessment when the company is to use new technologies or process sensitive or other privacy-sensitive personal data on a large scale.
Data Transfer Impact Assessment (DTIA)
When a company within the EU transfers personal data to a country outside the EU/EEA area, i.e. a third country under the GDPR, stricter rules apply. If the third country in question has an adequate level of protection according to the European Commission’s decision, the company does not need to take any additional safeguards for the data transfer. However, the company must take additional safeguards, if the third country does not have an adequate level of protection according to the European Commission. Among other things, the company must carry out a Data Transfer Impact Assessment if it intends to use a cloud service for data storage from a cloud service provider in a third country.
Request prior consultation with the national data protection authority
If the risk to the rights and freedoms of individuals remains high after the company has carried out an impact assessment, the company should request a prior consultation with the national data protection authority. This may lead the data protection authority to decide that it is an allowed processing, which parts of the processing should be changed in order for it to be allowed or prohibit the processing. Please note that companies must carry out and document a complete impact assessment before requesting a prior consultation under Article 36 GDPR.
Balancing of interests to assess legitimate interest
Legitimate interest is one of the six (6) legal bases on which companies can support a processing, according to Article 6(1)(f) GDPR. In order to determine whether the company has a legitimate interest or not, the company must carry out and document a Legitimate Interest Assessment (LIA). This means that the company sets its interest against the interests or fundamental rights and freedoms of data subjects. Authorities cannot use legitimate interest as a legal basis.
When can companies have a legitimate interest in processing personal data?
Here are some examples of when a company may have a legitimate interest in processing personal data:
Direct marketing
A company may have a legitimate interest in sending out advertising by email to former customers. On the other hand, there is usually no legitimate interest in sending advertising by e-mail to ‘cold customers’. In such cases, consent is more appropriate to use. The processing of personal data for direct marketing purposes may be considered a legitimate interest pursuant to Recital 47 of the GDPR.
Intra-group data sharing
Companies that are part of the same group may have a legitimate interest in sharing personal data within the group for internal administrative purposes. For example, for the processing of employees' or customers' personal data. This is stated in Recital 48 of the GDPR.
Prevention of crime
A company may have a legitimate interest in processing personal data to prevent crimes such as fraud. Please note that the processing in question must be strictly necessary for this purpose.
Employee safety
There may be a legitimate interest in having to ensure the safety of the employees of the company.
Learn more
Information security
Companies shall protect the personal data processed by taking appropriate organisational and technical security measures. For example, have backup files on a cloud service, installed antivirus software, offer GDPR training to staff, establish necessary GDPR-related agreements and documents, etc. The starting point is that the more important the personal data, the stricter the requirements.