With the introduction of the GDPR last year, there were numerous innovations and renaming of methods or renames. One of these is likely to be the data protection impact assessment.
The same should apply to a data protection impact assessment, which is regulated by Article 35 GDPR.
Where a form of processing, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons due to the nature, scope, circumstances and purposes of the processing, the Responsible persons shall provide an assessment in advance of the impact of the planned processing operations on the protection of personal data.
But who needs to make such a data protection impact assessment? Well, the relevant case is likely to be when there is a systematic and comprehensive assessment of personal aspects of natural personsbased on automated processing, including profiling, which in turn serves as a basis for decisions that have legal effect on natural persons or have a similarly significant impact on them.
A positive list of the types of data processing operations affected can be found in this document. But beware: this is not a final list.
It is up to each person to decide for himself whether the prerequisites are in place. However, in the opinion of the Data Protection Commission, the decision to carry out or not carry out an impact assessment, stating the relevant reasons for the specific processing operation, must be documented in writing.
For typical online shops, etc., processing processes such as the creation of comprehensive profiles about the movement and purchasing behaviour of affected persons are probably the most relevant. These could occur when recording the purchasing behaviour of different groups of people for profiling and customer loyalty, using prices, discounts and discounts.
Using WooCommerce or Shopify as plugins that analyze customers’ buying behavior and statistically evaluate and evaluate the success of discount promotions, such as Black Friday sales, a data protection impact assessment may be necessary.
Incidentally, a data protection impact assessment is not a one-off process. If, for example, new risks arise, the assessment of already identified risks changes or if there are material changes in the procedure that have not been taken into account in the previous data protection impact assessment, the data protection impact assessment shall be check and adapt.
The data protection impact assessment is therefore in little something of an instrument to simply think about one’s own data protection processes and to include things such as IT security, amount of data, deletions, archiving, access rights and much more. little to worry about. There are a few more clues in this short paper.