AAU logo

It Services

Risk and impact assessment

RISK AND IMPACT ASSESSMENT

On 18 September 2019, the GDPR unit held a themed meeting about risk and impact assessments for managers, key employees and relevant staff in individual AAU units (see the presentation from the themed meeting here in danish).

The screening tool which was introduced at the themed meeting is now ready for use at AAU. Managers and key staff are responsible for sharing the tool in their own units, incorporating it into the work processes in each unit.

Below, you will find an introduction to the tool, the screening tool itself, and instructions.

If you are unsure about when you need to make a risk assessment and use the screening tool, or about how to go about it in practice, you are always welcome to contact the GDPR unit for help and guidance.

  • +

    Roles and responsibilities in the process

    Project manager

    • Responsible for screening their own project (using the screening document) and contacting, respectively, the GDPR unit and the contract unit’s personal data teams (as early in the process as possible, out of concern for the consultation deadlines)
    • Contribute knowledge of the project and plans for data processing to the performance of the impact assessment

    Taskforce

    • Process manager: Responsible for the performance of the impact assessment and the process for handling results
    • File the report as documentation

    The project manager’s immediate manager

    • Financial responsibility in the event that a high risk needs to be reduced
    • Can approve residual risk

    Chief Information Security Officer (CISO)

    • Responsible for parts of the risk assessment which regard information security
    • Can approve residual risk
    • Signs when submitting to the Data Protection Agency

    Data Protection Officer (DPO)

    • Advises as needed
    • Must acknowledge having seen the impact assessment report
    • Must provide a statement upon acceptance of the residual risk and when the Data Protection Agency is consulted
  • +

    The impact assessment process at AAU

    The impact assessment process at AAU is a centrally-controlled process facilitated by the GDPR unit.

    The process is a four-step process:

    1. Screening
    2. Specific assessment of whether an impact assessment should be conducted
    3. Performance of impact analysis
    4. Handling of the results

     

    1) Screening
    Document of yes/no questions to be completed by project manager and sent to:
    Administration and IT projects: The GDPR unit ([contact] with the subject ‘Impact assessment’).
    Research: The contract unit’s personal data team, persondata@adm.aau.dk, with the subject ‘Impact assessment’.
    Backup screening for research: Reporting of the research project.

    2) Specific assessment of whether to conduct an impact assessment
    Performed by, respectively, the GDPR unit and the contract unit’s personal data teams.
    The project manager is informed of the outcome of the specific assessment and further process.

    3) Performance of impact assessment
    The taskforce (the GDPR unit, the contract unit and ITS) ensures the addressing of questions about the project’s handling of data, the chosen systems and the implemented security measures, clarification of the possible consequences for data subjects in case of breaches of security and risk assessment. Project managers and any other relevant key people with knowledge of and responsibility for the data processing are involved in this addressing of questions, etc.

    4) Handling of the results
    The taskforce assists with and advises on the handling of the results.
    Possible results and handling of these:

    • High and medium risk -> reduce risks -> Project manager’s immediate manager and the CISO may be involved
    • Low risk: The impact assessment is concluded and a report is filed as documentation of the assessment
    • Medium risk which cannot be reduced further: The immediate manager can accept the residual risk, and DPO provide their opinion (report is filed as documentation)
    • High risk that cannot be reduced by appropriate security measures: DPO provide their opinion and the Data Protection Agency is consulted (the taskforce is responsible for consulting. Further handling depends on the DPA’s response – the taskforce coordinates this. The Data Protection Agency has an eight-week deadline to reply (14 weeks in case of particularly complex cases)).

     

    See a more detailed description of the process in Case processor note: Process for impact analyses (In danish)  

  • +

    The screening tool

    Find the screening tool here:

    Screening tool

    BRIEF INTRODUCTION TO THE TOOL

    The screening tool consists of yes/no questions with guidance and the opportunity to substantiate positive answers.

    The screening tool consists of two parts:

    1. Four questions: If you can answer yes to one of the questions, the personal data team of the GDPR unit or of the contract unit must be contacted and be sent your form
    2. 13 questions: If you can answer yes to two or more of the questions, the personal data team of the GDPR unit or of the contract unit must be contacted and be sent your form

    When in doubt about whether to answer yes or no: Answer yes and describe your doubts under ‘if yes, please elaborate:’, and send it to the personal data team of the GDPR unit or of the contract unit, who will then make the final assessment.

    WHEN MUST THE SCREENING DOCUMENT BE PUT INTO USE?

    • For new projects, regardless of whether they are administrative, research or IT projects
    • As early on in the process as possible
    • From a bit of experience, the document will need to be involved when data processing relates to:
      • Sensitive, biometric, genetic and location-related information
      • A very large scope (section of the population or at a regional level)
      • A vulnerable group of data subjects
      • The monitoring of a publicly accessible area
      • Profiling/automatic decision-making
      • A direct impact on the physical health or safety of natural persons
      • Completely new technology or new uses of technology
      • The matching of data sets for other purposes
    • Impact assessments are new, which means that the basis of experience and knowledge about when they should be performed is being continuously built up.
  • +

    WHAT, WHY AND HOW?

    Impact assessments are a new requirement which have been introduced by the Data Protection Regulation. Along with the data inventory requirement, this requirement replaces the previous duty to notify.

    An ‘Impact assessment’ is an analysis of the proposed data processing activities’ impact on the protection of personal data.

    The purpose is to assess the risks to individuals’ rights, including their origin, nature and gravity, and to establish safeguards to reduce these risks.

    AAU has a legal duty to carry out impact assessments ‘where processing activities are likely to involve a high risk to natural persons’ rights and freedoms.’

    The impact assessment (and potential consultation of the Data Protection Agency) must be made before the processing (including collection) is implemented. All types of data processing, i.e. administrative projects, research projects and IT projects, are covered.
     

  • +

    Who should use the screening tool and when?

    The tool has been designed for all employees at AAU who process personal data, e.g. for research or as part of their administrative tasks.

    The tool must be used when:

    • You start processing personal data in a new way – especially with the use of new tools
    • Information is sensitive in nature
    • The processing concerns large amounts of personal data
    • The processing concerns automatic decision-making

    It is better to complete and submit one screening document too many than one too few.

    The screening tool, instructions and additional information are available on www.xxxx.aau.dk (we will add the link ourselves later)

    If you are unsure about when you need to make a risk assessment and use the screening tool, or about how to go about it in practice, you are always welcome to contact the GDPR unit for help and guidance.

Security for...