Skip to content

Data protection impact assessment

The purpose of a data protection impact assessment (DPIA) is to identify, evaluate and manage risks connected to the processing of personal data. Even when planning the processing, it must be evaluated and documented what kind of risks the processing of personal data creates for the people.

The City of Helsinki has published its own impact assessment tools. The objective of the publishing of them is to facilitate the cooperation connected to data protection between the City and its service producers.

Moreover, the City of Helsinki wants to further the realisation of integrated and default data protection outside the city borders as well by making the impact assessment tools available to everyone.

The impact assessment tools have been designed for the City of Helsinki's operations, which is why users outside the city must consider the applicability of the tools for their own operations.

When should an impact assessment be made?

An impact assessment is compulsory, for example, when new technology is introduced, when sensitive or otherwise very personal data are processed or when personal data are processed on a large scale.

The impact assessment shall be made before the service or system is put into use.

Start with an initial assessment!

An initial impact assessment shall always be made when starting to plan a new process, system procurement or construction of a system in the City’s own system development.

An initial assessment shall also be made when planning significant changes to existing processes and systems.

Answering the questions of the initial assessment reveals whether an impact assessment should be made or if the data protection should be taken into account using the data protection checklist.

Impact assessment or data protection checklist?

If the initial assessment proves that an impact assessment must be conducted, then the impact assessment tool and risk analysis form are introduced.

A proven method in conducting an impact assessment is the workshop method, which starts with an initial meeting, to which all necessary experts are invited. The assignment of responsibilities takes place at the initial meeting. At the impact assessment workshop (or workshops) after the initial meeting the experts have in advance sorted out things connected to their responsibilities, whereas the documentation of the data into the tool can be made jointly.

If the preliminary assessment has shown that personal data is being processed, but an actual impact assessment is not needed, then a data protection checklist shall be compiled.

The data protection checklist contains the things that always have to be considered during the development, even though the personal data being processed is not sensitive or otherwise risky.

06.12.2019 15:03