To print this article, all you need is to be registered or login on Mondaq.com.
Imagine you’re planning a hike through the majestic Swiss
Alps. You’ve got your map, your compass, and a clear
destination. But there’s one more thing you need before you set
off – a safety check. This isn’t just any safety check;
it’s a thorough review to ensure you’re prepared for what
lies ahead, understand the risks, and know how to mitigate them.
This, in the realm of data protection, is akin to what the Swiss
Data Protection Act calls a data protection impact assessment.
The essence of a data protection impact assessment
A data protection impact assessment is about foresight. It’s
about spotting data protection issues early on, simplifying
solutions, and cutting costs. Think of it as the planning stage of
your hike, where you assess the path for potential hazards. Just as
you’d want to know about a washed-out bridge on your hiking
route in advance, data protection impact assessments help catch
problems before they become complex and expensive.
When to conduct a data protection impact assessment
Not every data processing activity requires a data protection
impact assessment. Such an assessment is mandatory when the
processing is likely to result in a high risk to individuals’
rights and freedoms. This is particularly relevant in the following
cases:
- extensive operations involving personal data that is
particularly sensitive, such as health information, racial or
ethnic origins, political opinions, religious beliefs, or data
relating to administrative and criminal sanctions; - continuous observation or tracking of individuals in public
spaces, perhaps through video surveillance or location
tracking; - implementing algorithms or technologies, including to make
significant decisions based on individual’s behaviour,
preferences, or movements.
Navigating the data protection impact assessment process
The data protection impact assessment process is structured yet
flexible, allowing organisations to adapt it to their specific
needs while ensuring comprehensive risk assessment. It begins with
a detailed description of the planned data processing activities,
laying out the scope and purpose clearly. This is followed by an
in-depth risk assessment, focusing on potential impacts to the
rights and freedoms of individuals. Organisations must then detail
the measures they plan to implement to mitigate these risks,
demonstrating a commitment to protecting data subjects.
An essential part of any data protection impact assessment is
evaluating the residual risk after planned measures are in place.
This evaluation helps organisations understand the effectiveness of
their risk mitigation strategies and whether further action is
necessary.
Exceptions and derogations
Conducting a data protection impact assessment can be a
significant undertaking. There are pathways for organisations to
streamline the process under certain conditions. One such pathway
is through certification, where using certified products, systems,
or services can exempt an organisation from conducting an
assessment for those specific processing activities. These
certifications are awarded by accredited bodies and indicate that
the product or service meets established data protection
standards.
Another option is adherence to approved codes of conduct. These
codes, developed by professional or sectoral associations, outline
best practices for data protection. Organisations that follow a
code of conduct that has been vetted and approved can also be
exempt from conducting a data protection impact assessment,
provided the code includes an impact assessment component and
measures to protect individuals’ rights.
Why data protection impact assessments are necessary
From a practical standpoint, data protection impact assessments
should be viewed as an investment rather than an overhead. They
offer a structured framework to refine data processing activities,
ensuring that privacy risks are identified and mitigated early on.
This foresight can significantly reduce the cost and complexity of
data protection measures down the line.
These assessments offer a clear, structured approach to
understanding and mitigating privacy risks, ensuring that
organisations can confidently move forward in their data processing
activities. Just as a compass leads hikers safely through the
mountains, data protection impact assessments guide organisations
through the terrain of privacy risks, ensuring a journey that meets
data privacy and protection requirements.
Consider us your guides through this landscape. For a journey
that ensures your data protection is on point, let’s connect
for a complimentary 20-minute call.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Switzerland
#Data #Protection #Impact #Assessment #Switzerland #Privacy #Protection
