Data protection impact assessment

The purpose of the data protection impact assessment is to identify, assess and manage the risks related to the processing of personal data. The risks posed to people by the processing of personal data must be assessed and documented as early as the planning stage.

The City of Helsinki has released its own impact assessment tools, which you can find on the Finnish page. The aim of releasing these tools is to facilitate cooperation between the city and its service providers in matters related to data protection and to increase transparency in the processing of personal data.

In addition, the City of Helsinki also wants to promote the implementation of built-in and default data protection outside the city boundaries by making the impact assessment tools available to everyone.

The first versions of the tools were released in 2019, and the updated versions were released in the autumn of 2022.

The impact assessment tools are designed for the operations of the City of Helsinki, so users outside the city must consider the suitability of these tools for their own operations.

When should an impact assessment be carried out?

An impact assessment is carried out when new technology is introduced, sensitive or otherwise very personal data is processed, or personal data is processed on a large scale, for example.

An impact assessment must be carried out before the service or system is introduced.

Start with the initial assessment

An initial assessment must be carried out whenever a new process, system acquisition or system construction is planned in the city’s own system development.

The initial assessment must also be carried out when planning significant changes to existing processes and systems.

By answering the questions of the initial assessment, you will be able to determine whether an impact assessment should be carried out, or whether data protection should be taken into account by means of a data protection checklist.

Impact assessment or data protection checklist?

If the initial assessment indicates that an impact assessment needs to be carried out, the next step is to take an impact assessment tool into use.

We have found that an effective way to carry out the impact assessment is by using the workshop method, which involves an initial meeting to which any necessary experts are invited. Participants in this initial meeting agree on the division of responsibilities. At the impact assessment workshop (or workshops) that takes place after the initial meeting, the experts have already investigated the issues in their areas of responsibility in advance, so the information can be jointly documented in the tool.

If the initial assessment has shown that there is no need to carry out an actual impact assessment even though personal data is being processed, the next step is to use the data protection checklist.

The data protection checklist contains the things that must always be taken into account during development, even if the personal data is not particularly sensitive or otherwise high-risk.