According to the General Data Protection Regulation (Article 35), ‘Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data’. More detailed information about this is available for instance at https://tietosuoja.fi/en/impact-assessments. An impact assessment shall be carried out before the processing of personal data is launched.

It is possible to carry out an impact assessment even if these criteria are not met. If the situation is unclear, an impact assessment should be carried out.

In what situations should an impact assessment be made?

Special situations mentioned in the General Data Protection Regulation

The Regulation particularly mentions the following:

• Profiling, automatic decision-making if personal characteristics are widely or systematically reviewed
• Extensive processing of specific (sensitive) personal data
• Systematic and extensive surveillance of an area open to the public is part of this category.

For instance, the introduction of new technical (e.g. facial recognition in access control) and organisational innovations may also require an impact assessment.

Special situations listed by the Office of the Data Protection Ombudsman

The Office of the Data Protection Ombudsman has published a list of situations where an impact assessment should always be carried out. The list is available at https://tietosuoja.fi/en/list-of-processing-operations-which-require-dpia. The list includes the following:

• Processing of biometric data
• Processing of genetic data
• Processing of location data
• Derogations from the provision of information to the data subject
• Whistleblowing systems

If you process this information, you should verify whether an impact assessment should be carried out.

Other high-risk situations

The high-risk assessment examines the following areas:

• Assessment or scoring of personal data: assessment or scoring of work performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movement (including profiling and prediction).
• Automated decision-making
• Systematic supervision of data subjects
• Processing of specific personal data groups or otherwise highly personal data
• Large-scale data processing. This includes, inter alia, the number of data subjects, the amount of data to be processed, the duration and stability of the processing and the geographical extent of the processing.
• Combining data sets from, for instance, different registers
• Processing of personal data on disadvantaged persons such as children, employees, patients and students
• Application or innovative use of new technical or organisational solutions
• Situations in which processing activities prevent data subjects from exercising a right, using a service or enforcing a contract, for instance bank decisions on providing a loan in credit activities

The more the above points are implemented in the planned processing of personal data, the more likely it is that an impact assessment must be carried out:

• If two or more of the above items are realised, an impact assessment should be carried out. However, if it is established that the processing of personal data is unlikely to pose a high risk, the impact assessment may be omitted. In this case, the criteria are documented.
• Where only one of the above items is realised, an impact assessment shall be carried out only if the processing of personal data is likely to pose a high risk.
• In unclear situations, an impact assessment should be carried out.

Carrying out an impact assessment

The impact assessment will be completed in the following template available on the intranet: ​template

For compiling data on risks, risk management temples according to the VAHTI instructions may be used (https://www.vahtiohje.fi/web/guest/home​): VAHTI Riskiarviointi laaja.xlsx​ and VAHTI Riskiarviointi-tyokaluohje.pdf​​

It is stated on the impact assessment states (Article 35) that:

The data protection officer must be consulted.

• The assessment shall include the following:
  • A systematic description of the planned processing operations and the purposes of the processing, including, where appropriate, the legitimate interests of the controller
  • An assessment of risks to data subjects’ rights and freedoms
  • Planned measures to address risks, including safeguards and security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other interested parties.
  • An assessment of the necessity and proportionality of processing operations in relation to their purposes

The supervising authority shall be consulted in advance if the impact assessment indicates a high risk and it cannot be reduced.

Additional material

• Data Protection Ombudsman’s guidelines: https://tietosuoja.fi/en/impact-assessments
• https://tietosuoja.fi/documents/6927448/8316711/Guidelines+on+Data+Protection+Impact+Assessment.pdf/def06c04-03f9-4505-99d2-709243ef2d35/Guidelines+on+Data+Protection+Impact+Assessment.pdf

Contact your data protection officer for more information.