Data protection risk and impact assessments

This page was updated in January 2022. Please note that we will update these pages regularly.


Do you process personal data as a part of your research?  Here you can learn more about: 

  • What risks the processing poses to the data subject’s rights and freedoms. 

  • How you can eliminate or mitigate the risks. 

  • Whether is necessary to make a data protection impact assessment (when the risk is high) 

  • How to ensure that the risk assessment and the data protection impact assessment is up to date and accurate. 

What is a risk assessment?

The data protection approach to processing personal data is risk-based. A risk assessment is an objective assessment of the risks the planned processing of personal data may pose for the rights and freedoms of data subjects. Thus, when carrying out a risk assessment, you need to assess the likelihood of an event occurring, including the impact of such event on the person whose data you are processing (the data subject).   


What is the difference between a data protection risk assessment and other risk assessments?

A data protection risk assessment concerns the risks to which the data subjects are exposed when their personal data is being processed. This means that the risk assessment should not concern the data controller’s risk of sanctions, damage to reputation or similar.   

The data controller must take the place of the data subject and consider the risks to which the data subject will be exposed in the planned processing activity(ies) to be performed by the data controller.  

When should a written risk assessment be made?

Prior to any processing of personal data, a written risk assessment must be carried out by the data controller or by a data processor on behalf of the data controller. In the latter case, the data controller will make a risk assessment of the processing that the data processor is to perform.    

Who should make a written risk assessment and why?

As a researcher employed at AU, you are responsible for ensuring that, in your research project, AU complies with the statutory data protection rules. As you or your research group is most likely to know how the processing of personal data is to be carried out, you will be best suited to assess the risks to which the data subject will be exposed in the processing of his or her personal data.  
 
In other words, you must carry out a risk assessment of the planned processing of personal data before you start processing the personal data. In this way, you can assess whether you need to make an impact assessment, and which security measures are necessary to protect the personal data while you are processing it. 

You must keep your written risk assessment together with your other project documentation throughout the period in which you process personal data. Be aware that you must update the risk assessment if changes occur.

How do I prepare a written risk assessment?

There are no formal requirements for the risk assessment, but it must be in writing (documented) to live up to the accountability principle of the General Data Protection Regulation.  

The risk assessment must include an assessment of the risks to which the data subject is exposed in the following areas:  

  • confidentiality,

  • integrity, and
  • availability  

There are many ways to carry out a risk assessment, but common to them all is that the risk assessment consists of: 

  • Identification of potential risks, 
  • Assessment of the likelihood of the event occurring, and  
  • Assessment of the consequences for the data subject, should the event actually occur.  

Template

This guide includes a template for carrying out a risk assessment of the planned processing of personal data in your research project. Note that the template is not suitable for large and complex research projects involving, for example, many project partners, or for IT systems, etc., as this will require a more extensive template.  
If you need an extended template, contact the Data Protection Unit at dpo@au.dk.    


Likelihood

To use the template, you have to be familiar with the scale used for assessing likelihood. Use the following criteria in your assessment of the likelihood of the event occurring: 

Unlikely (1)

The event will almost never occur.

Not very likely (2)

The event will only occur under exceptional circumstances.

Likely (3)

The event could occur in many cases.

Expected (imminent) (4)

The event will occur.


Consequences

When evaluating the consequences of an event, you should assume that the event has occurred. You should then assess the impact (consequences) this will have on the data subject.  

In your assessment of consequences, always remember to consider the number/category of data subjects, the scope/category of personal data, and remember to assess the consequences on the basis of the worst case scenario.  

Types of consequences:   

  • Physical damage: Physical damage is inflicted on the person whose data is being processed.
  • Material damage: E.g. loss of revenue.
  • Non-material damage: E.g. damage of reputation.

The degree of consequences: 

No or insignificant consequences (1)

No particular impact on the data subject in connection with the event. 

Inconvenient consequences (2)

There are shortcomings that are inconvenient, but not to a serious degree. 

Critical consequences (3)

The processing entails critical consequences for the person whose data is being processed, e.g. unauthorised disclosure of ordinary personal data.    

Unacceptable consequences (4)

The consequences of processing are so serious for the person whose data is being processed that the processing must not be carried out unless measures are taken to significantly reduce the risk of damage. This may involve unauthorised disclosure of sensitive personal data


How do I calculate the risk, and how do I interpret the result of a risk assessment?

The likelihoods and consequences each have a value from 1-4, where 1 is the lowest and 4 is the highest. The risk is calculated by multiplying the likelihood of the event occurring with the consequences of the event occurring.

Consequences
          X
Likelihood

No or insignificant conse­quences

In­con­venient conse­quences

Critical conse­quences

Un­accept­able conse­quences

Unlikely

1

2

3

4

Not very likely

2

4

6

8

Likely

3

6

9

12

Expected (Imminent)

4

8

12

16

 

After multiplying the values, you will get a figure which appears in the above matrix. The figure shows whether the risk to which the data subject is exposed is considered low = green, medium = yellow or red = high. Use the result to assess whether to mitigate (reduce) the risk, eliminate the risk where possible, or whether to accept the risk. 

Also note that, as a general rule, you will have to carry out an impact assessment if the risk is high. If you need to carry out an impact assessment, contact AU's data protection officer at dpo@au.dk for help.

The Danish Data Protection Agency has established some cases in which processing will always result in a high risk for the data subject. These cases are listed in part 7 of this template.



What is an impact assessment, and what is the purpose?

An impact assessment is a written analysis of the impacts of your planned processing activities on the data subjects' rights and freedoms. In other words, you use the analysis to describe the consequences of your processing of personal data for the persons whose data you need to process.

The purpose of the impact assessment is to give you an overview and to enable you to minimise or completely eliminate any risks there may be for the people whose data you are processing.

Whether you need to prepare an impact assessment depends on whether there is a high risk in the planned processing of personal data. You must first describe this in your risk assessment (see above). Remember, therefore, that you must always start by preparing a risk assessment, as this forms the basis for the impact assessment and it is an important element in the impact assessment. 

An impact assessment is a process that can be illustrated as follows:

When should I prepare an impact assessment?

There are several cases where you are required to prepare an impact assessment.  Below are some questions to help you decide whether there is a need for an impact assessment. It is important that you consider all of the questions in all three forms.

If you can answer yes to the question, you will have to prepare an impact assessment:

Question Answer: Yes Answer: No
Does my risk assessment show that my processing of personal data will entail a high risk for the data subjects' rights and freedoms? ☐ Yes ☐ No

Even if you have answered no to the question above, it is important that you answer the questions below. In some cases, they may show that it is necessary to prepare an impact assessment. If you can answer yes to at least two questions, you will have to prepare an impact assessment:

The questions are based on the list that every supervisory authority in the EU has to prepare. You can find the list from the Danish Data Protection Agency here.

Question Answer: Yes Answer: No
Do you process biometric data (e.g. fingerprints, iris scans, etc.) in order to uniquely identify a natural person? ☐ Yes ☐ No
Do you process genetic data (e.g. DNA, RNA, etc.)? ☐ Yes ☐ No
Do you process location data (electronic information about a location)? ☐ Yes ☐ No
Do you use new technologies when processing personal data (e.g. AI)? ☐ Yes ☐ No
Do you process personal data to make decisions about a natural person's rights to a product, a service, a potential opportunity or preferential treatment? ☐ Yes ☐ No
Do you process personal data in such a way as to profile a physical person at large scale? ☐ Yes ☐ No
Do you process personal data about vulnerable persons or sensitive data (special categories) (link) and where profiling is used or other types of automated decisions? ☐ Yes ☐ No
Do you process personal data in which a breach of personal data security may have a direct effect on a person's physical health or on the safety of a natural person? ☐ Yes ☐ No
Do you process sensitive personal data or information about criminal offences to a large extent? ☐ Yes ☐ No
Do you systematically and to a large extent monitor the data subject or a publicly accessible area? ☐ Yes ☐ No
Do you match or combine data sets that have different purposes? ☐ Yes ☐ No

If you can answer yes to one of the questions below, you do not have to prepare an impact assessment:

Question Answer: Yes Answer: No
Have you or others at AU previously prepared an impact assessment for the proposed form of processing?  ☐ Yes ☐ No
Did you commence processing of personal data before 25 May 2018, and have there been no changes in relation to the processing that was reported to the Danish Data Protection Agency or to AU’s common notification? ☐ Yes ☐ No

What should an impact assessment contain?

An impact assessment should contain at least the following:

  1. A systematic description of the processing activities that are the subject of the impact assessment – in other words; how will you process the data?
  2. An assessment of the necessity and proportionality of the processing activities.
  3. A description of the risks associated with the proposed processing, including how the personal data is managed.
  4. A consultation with interested parties.

Who is to prepare the impact assessment?

As a researcher, you should prepare the impact assessment, as you are already familiar with the project. Note that you must not contact AU's data protection officer until after you have carried out your risk assessment, but before you begin to conduct the impact assessment. After this, the data protection officer will advise you about how to prepare the impact assessment.