Practitioners’ manual helps companies and public authorities conduct data protection impact assessments

Since 2018, under the European General Data Protection Regulation (GDPR), companies and other organizations have been obliged to conduct data protection impact assessment (DPIA) in certain cases. Prior to any data processing operations, the risks and dangers should be systematically analyzed, evaluated and protective measures taken. Fraunhofer ISI has published a practitioner’s manual, which helps companies and organizations to carry out data protection impact assessments using an approach originally conceptualized by the German »Privacy Forum« research consortium and then further developed for practical application in the research project »DPIA for companies and public authorities« led by Fraunhofer ISI.

The manual gives a succinct introduction to the data protection impact assessment requirements of the GDPR and its objectives. Data protection officers and those responsible in companies and administrations are given step by step guidelines on how to conduct a data protection impact assessment in practice, divided into five phases.

The DPIA approach has been successfully tested over the past year with companies and local authorities using a wide range of very different real data processing operations. »It was important to us that the method is feasible for both small and large companies, and that the risks are effectively identified and evaluated, even for very innovative processes like those from the field of Artificial Intelligence«, says Dr. Michael Friedewald, head of the Business Unit Information and Communication Technologies at Fraunhofer ISI, and project coordinator of both the research consortium »Privacy Forum« and the project »DPIA for companies and public authorities«.

Five phases of a data protection impact assessment

Conducing a data protection impact assessment is organized into five phases. In the initialization phase, a company or local authority clarifies whether an impact assessment is required. If this is the case, a systematic description is then made of the planned processing and its concrete context (preparation phase). In the following execution phase, the actual assessment of the risks to data subjects is made based on six data protection goals. In the subsequent implementation phase, mitigation measures are defined, implemented and documented for the identified risks. In the final sustainability phase, measures are taken to regularly monitor and review the risks. The method is based on the concepts formulated in the Privacy Forum's White Paper »Die Datenschutzfolgenabschätzung – Ein Werkzeug für einen besseren Datenschutz« and uses the German Standard Data Protection Model that was developed by the German Data Protection Supervisory Authorities. On this basis, a risk assessment was recently made of the planned coronavirus app.

The Fraunhofer Institute for Systems and Innovation Research ISI analyzes the origins and impacts of innovations. We research the short- and long-term developments of innovation processes and the impacts of new technologies and services on society. On this basis, we are able to provide our clients from industry, politics and science with recommendations for action and perspectives for key decisions. Our expertise is founded on our scientific competence as well as an interdisciplinary and systemic research approach.