- Introduction of the GDPR brought numerous innovations and the data protection impact assessment.
- Processing directory is required for individuals, self-employed persons and entrepreneurs with personal data.
- Art. 35 GDPR regulates the data protection impact assessment in the event of a high risk to the rights of natural persons.
- Written documentation is required if an impact assessment is carried out or not carried out.
- Online stores should consider a data protection impact assessment when creating customer profiles.
- An impact assessment is not a one-off process; it must be reviewed regularly.
- It serves as an instrument for improving data protection processes and IT security.
With the introduction of the GDPR last year, there were numerous innovations and renaming of methods or renames. One of these is likely to be the data protection impact assessment.
While most people have heard about a privacy policy and that such a, more or less meaningful, must be incorporated into their own website, it usually stops with other instruments. For example, very few people know that as a person, self-employed person or entrepreneur who processes personal data, you must create a processing directory (see this article).
The same should apply to a data protection impact assessment, which is regulated by Article 35 GDPR.
If a form of processing, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons due to the nature, scope, context and purposes of the processing, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data beforehand.
But who must carry out such a data protection impact assessment? Well, the relevant case is likely to be when there is a systematic and comprehensive assessment of personal aspects relating to natural persons, which is based on automated processing, including profiling, and which in turn serves as the basis for decisions that produce legal effects concerning natural persons or similarly significantly affect them.
A positive list of the types of data processing operations concerned can be found in this document. But beware: this is not a final list.
It is up to each person to decide for himself whether the prerequisites are in place. However, in the opinion of the Data Protection Commission, the decision to carry out or not carry out an impact assessment, stating the relevant reasons for the specific processing operation, must be documented in writing.
For typical online shops, etc., processing processes such as the creation of comprehensive profiles about the movement and purchasing behaviour of affected persons are probably the most relevant. These could arise when recording the purchasing behavior of different groups of people for profiling and customer loyalty with the help of prices, discounts and rebates .
Using WooCommerce or Shopify as plugins that analyze customers’ buying behavior and statistically evaluate and evaluate the success of discount promotions, such as Black Friday sales, a data protection impact assessment may be necessary.
Incidentally, a data protection impact assessment is not a one-off process. If, for example, new risks arise, the assessment of already identified risks changes or if there are material changes in the procedure that have not been taken into account in the previous data protection impact assessment, the data protection impact assessment shall be check and adapt.
The data protection impact assessment is therefore in little something of an instrument to simply think about one’s own data protection processes and to include things such as IT security, amount of data, deletions, archiving, access rights and much more. little to worry about. There are a few more tips in this short paper.
