Data Impact Assessment (DPIA)

What is a DPIA?

Impact assessments are required under Article 35 of the GDPR. The purpose is to identify and minimise risks to the rights and freedoms of individuals before the beginning of personal data processing (deletion, transfer, processing, etc.). Risks shall primarily be assessed based on data protection and integrity aspects, but also based on other basic human rights, such as freedom of speech and thought, free movement or the prohibition of discrimination.

DPIA are not a one-off event but a constantly ongoing process. A DPIA is always preceded by a risk analysis.

If the party responsible for the processing of personal data decides a DPIA deemed not necessary, e.i the processing isn´t likely to result in a high risk to individuals, then this must be justified and documented in an appropriate manner. Decisions made based on a DPIA must be documented.

The impact assessment must be conducted before the processing of personal data begins.

When do we need a DPIA?

A DPIA is always required in the following cases:

• In automated individual decision-making (e.g. recruitment without personal contact, fully automated admissions) and profiling (use of personal data to create specific profiles based on personal aspects and in cases where the profiles are used to make automated decisions).
• When processing sensitive personal data (ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic and biometric data, health data, sex life or sexual orientation) or personal data related to a crime or suspicion of a crime.
• A systematic monitoring of a publicly accessible area on a large scale.

The assessment of the concept of “large scale” includes, for example, how many people are registered, how long the personal data is processed and how large the geographical area.

A DPIA is also required if the planned personal data processing meets at least two of the following criteria and it is deemed likely that the processing will lead to a high risk:

• evaluating or rating people.
• processing personal data for the purpose of making automated decisions that have legal consequences or similar significant consequences for the data subject.
• systematically monitoring people, for example through camera surveillance of a public place or by collecting personal data from Internet use in public settings.
• processing sensitive personal data or data of a highly personal nature.
• processing personal data to a large extent.
• combining personal data from two or more processing operations in a way that deviates from what the data subject could reasonably have expected, for example when registers are coordinated.
• processing personal data about individuals who for some reason are at a disadvantage or in a position of dependency and are therefore vulnerable, such as children, employees, asylum seekers, the elderly and patients.
• using new technology or organisational solutions, such as an Internet of Things (IoT) application.

The same DPIA may be used to assess multiple personal data processing instances that are similar in terms of nature, scope, content, purpose and risks.

For a new processing of personal data, the DPIA must be initiated as early as possible, even if certain parts of the processing are still unknown. Processing of personal data commenced prior to the entry into force of the General Data Protection Regulation on 25 May 2018 is subject to the DPIA requirement.

When is a DPIA not necessary?

A DPIA is not required if:

• The processing of personal data is unlikely to lead to a high risk to people’s rights and freedoms.
• The processing of personal data is very similar to other processing where there is already an impact assessment.
• The processing of personal data has its legal basis in a law or regulation, and an impact assessment was already done when the law or regulation was adopted (examples of which are not yet available).

What happens if we don´t do a DPIA?

If a DPIA was not done in cases, where it was required or if it was done incorrectly, the university may incur sanction fees. KTH may also be forced to cease that specific processing of personal data.

Who is responsible for the impact assessment?

KTH is the controller of the personal information and as such responsible for the entire process: the implementation, approving the DPIA and using the assessment for continued decisions based on its conclusions.

KTH must consult the Swedish Authority for Privacy Protection (IMY) if the DPIA identifies a high risk and KTH cannot take measures to reduce that risk. KTH cannot begin the processing until KTH have consulted IMY. If KTH plan to contact IMY, the Data Protection Officer should be consulted.

In the impact assessment process, individuals who represent different perspectives and competencies should work together to make a correct assessment, e.g. project managers, research leaders or researchers appointed by the research leader (in research projects).

In certain cases, it may also be appropriate to obtain the views of the data subjects/ individuals in the DPIA. KTH must justify and describe why it´s not appropriate to seek the data subjects view.

If the Data Protection Officer gives advice in the assessment, this should be documented in the implementation template.

How do to carry out a DPIA

KTH´s template for DPIA: KTH_DPIA_01.00_eng (docx 123 kB)

Please contact KTH’s Data Protection Officer for further assistance.

Amend a project description or reference to the data management plan and potential ethics application to and/or decision from the Ethical Review Board.

Contact details to KTH´s Data Protection Officer

KTH´s Data Protection Officer is Robin Roy.

Landline telephone: + 46 8 790 87 52

Postal address: Brinellvagen 8, 100 44 Stockholm, Sweden

E-mail: dataskyddsombud@kth.se