The AEPD has developed a tool to enable those companies and public entities that process high-risk personal data to conduct a risk analyses and impact assessments.
The General Data Protection Regulation (GPDR) provides that personal data controllers and processors are obliged to perform a risk analysis and implement any necessary measures to guarantee the rights and freedoms of persons. Besides, if this analysis proves the existence of a high risk affecting data protection, the GPDR also provides that data protection impact assessment (DPIA) must also be performed.
In order to enable organizations to comply with the aforementioned obligations, the Spanish Data Protection Agency (AEPD as per its Spanish acronym) has established Gestiona_EIPD a free tool to help companies and public entities carrying out high-risk data processing activities to perform risk analyses or impact assessments. It can also be a useful resource for those SMEs that need to perform a DPIA.
The AEPD’s webpage features a list which includes those data processing activities requiring to perform an impact assessment as per the GDPR. This list is complemented by a list of those data processing activities for which a DPIA is not required.
Gestiona_EIPD is designed as an online questionnaire which states the aspects that have to be taken into account both in risk analyses and in impact assessments with regard to data protection. The result of this process, in which the Agency does not keep or monitor any data whatsoever, a basic document which may be used as a start point for any risk analysis and management activity and which may be used by the data controller to comply with the provisions set forth in the Regulation and the LOPDGDD.
This basic document not only helps to be compliant with the relevant rules and regulations, but also suggest measures that may help to reduce or mitigate any risk related to the processing. However, the Agency highlights that compliance requirements may not, in any case, be replaced by technical or organizational alternative measures. For further information, please see the GDPR Compliance checklist.
It is important to highlight that this basic document must be completed and assessed by the data controller, and, when appropriate, by the data processor, following the instructions established in Practical guidelines for impact assessment in personal data protection.
Gestiona_EIPD is the latest addition to a catalogue of resources provided by the Spanish Agency for Data Protection in order to enable organizations to be compliant with data protection regulations, including Facilita_RGPD, created for professionals and companies that process low-risk personal data. Since its launch in September 2017, it has been accessed 800,000 times and almost 200,000 have obtained the basic documents which enable to comply with laws and regulations.