AAU logo

Data protection assessment

A Data Protection Impact Assessment

The object of the General Data Protection Regulation and the Danish Data Protection Act (Databeskyttelsesloven) is that we must check and document in our processing of personal data whether we adequately protect the personal data we use in a specific data processing activity.

In some cases, an envisaged data processing activity and handling of personal data may be likely to result in a high risk of damage to the data subjects if the data end up in the wrong hands, are altered or disappear.

In these cases, AAU is obliged to check this potentially high risk and – if the risk proves to be high – to take measures aimed at reducing it.

If AAU cannot significantly reduce the risk, the processing of personal data may only be commenced following approval from the Danish Data Protection Agency.

  • +

    What is a data protection impact assessment?

    A data protection impact assessment is an analysis of the impact of intended data processing activities on the data subjects whose data are processed. The following will be examined in the data protection impact assessment:

    • Whether there is a high risk to the rights and freedoms of data subjects in connection with a specific processing of their personal data – that is whether the processing entails a high risk of damage to the data subjects – screening
    • The impacts on the data subjects of the specific processing of personal data – data protection impact assessment
    • The organisational and technical security measures we can implement to reduce the risk and impacts to a low level – handling

    At AAU, we have decided that data protection impact assessments are a four-step process. However, we rarely need to go through all four steps:

    1. Screening, where it is established whether an intended personal data processing activity is of such a nature that it may result in a high risk to the data subjects that their personal data are processed.
    2. Specific evaluation – based on the screening – of whether a data protection impact assessment is to be conducted.
    3. Performance of data protection impact assessment.
    4. Handling of the result of the data protection impact assessment.
  • +

    Who should do what and when?

    System owner/data owner

    Who: The system and/or data owner are the AAU employees responsible for initiating a new administrative project or process, a research project, a new IT system or a similar process in which personal data will be processed. 

    What: When you start a new research project, a new administrative project or a new process in which you process[1] personal data in a new way or are to develop a new system, you first need to find out whether you are processing personal data. See here for a further definition of personal data (in Danish).

    If you process personal data, you must fill in the screening tool, which forms the basis for assessing whether a data protection impact assessment is to be conducted. You can find the screening tool here.

    The task of the system and/or data owner is to:

    • examine whether personal data are being processed and, if so, examine whether the envisaged data processing activity is already described in the entity’s records of processing activities under Article 30
    • fill in the screening tool, which consists of thirteen yes/no questions if the processing activity is not described in the entity’s records of processing activities under Article 30
    • submit the filled in screening tool to the mailbox konsekvensanalyse@aau.dk
    • contribute to any data protection impact assessment with its knowledge about the new project/process/system.

    When: You must use the first step, the screening tool, as early as possible in your work process. The filled in screening tool is submitted to konsekvensanalyse@aau.dk.

     

    Impact assessment task force

    Who: AAU has set up an impact assessment task force with IT technical/information security, legal and organisational/business competences to ensure a sufficient competence composition to implement and manage the process, to facilitate the decentral task in each individual case and to build up knowledge of and experience in data protection impact assessments at AAU.

    What: The task force is responsible for:

    • making a specific evaluation, based on the screening tool, of whether a data protection impact assessment is to be conducted
    • conducting the actual data protection impact assessment and managing the work process
    • handling the results of the data protection impact assessment, including proposing specific organisational and technical security measures aimed at reducing high risks
    • documenting and recording the investigative work.

    When: When the screening of a project, process, etc. has been received from the system owner/data owner.

     

    The system and/or data owner’s manager, see the delegation instructions

    Who: The system and/or data owner’s manager, see the Rector’s delegation instructions.

    What: If the conclusion of the data protection impact assessment requires additional organisational and technical measures to reduce the risk to the data subjects, the management’s task is, in accordance with the delegation instructions, to:

    • take the financial responsibility for these measures, or
    • take responsibility for the remaining risk if a decision is made not to implement further risk-reducing measures, together with the Chief Information Security Officer, or based on a recommendation from the Data Protection Officer.

    When: The system and/or data owner’s manager, see the delegation instructions, is to be contacted if the implementation of further organisational and technical measures is necessary to reduce the risk to the data subjects.

     

    Chief of Information Security Officer (CISO)

    What: CISO is responsible for the parts of the Data protection impact assessment that deals with information security. The manager of the system and/or the data owner’s manager may, based on the Rector’s delegation instruction, in consultation with and following the opinion of the DPO, approve a residual agent risk, that cannot be further reduced. CISO must sign the impact assessment report if it is to be submitted to the Data protection Agency.

    When: The impact assessment Task Force will involve CISO in the process if the risk cannot be reduced after having supplemented with additional protective measures or if it is necessary to contact the Danish Data Protection Agency.

     

    AAU’s data protection officer (DPO)

    What:The DPO advises as needed. The DPO must declare that he/she has seen the final impact assessment report. In addition, the DPO must, upon acceptance of a medium risk or if it is necessary to contact the Danish Data Protection Agency, make an opinion.

    When: The impact assessment Task Force will involve the DPO in the process if needed and if the risk cannot be further reduced after having supplemented with additional protective measures or if it is necessary to contact the Danish Data Protection Agency.

  • +

    Screening tool

  • +

    Printer-friendly guidance