The AEPD's new guide and tool for managing the risk of personal data processing and carrying out impact assessments

Wednesday, 14 of July of 2021

On 29 June 2021, the Spanish Data Protection Agency (AEPD) published on its website a new Guide, entitled 'Risk management and impact assessment in personal data processing', which includes the latest criteria and interpretations of the AEPD, the European Data Protection Committee and the European Data Protection Supervisor, in the field of data protection risk management.
The aforementioned guide, as well as the tool that the Agency makes available to users, is aimed at small, medium and large companies, in their capacity as data controllers or data processors. It is also a very useful document for data protection officers (DPOs) as it facilitates the integration of risk management in the management and governance processes of the entities.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data (GDPR) provides that, before starting any new processing, entities will have to carry out a risk analysis in order to anticipate the possible adverse or unintended effects that the processing may have and establish the measures that are necessary to mitigate such risks and to guarantee the rights and freedoms of data subjects. Furthermore, in those cases in which the processing operations involve a high risk to data protection, the GDPR establishes that these entities will be forced to carry out a Data Protection Impact Assessment (DPIA), and, where appropriate, a prior consultation with the AEPD, in accordance with the provisions of Article 36 of the GDPR.
The study and analysis of the risks, facilitated by the guide and above all by the new tool, allow the data controller to take the necessary decisions and actions to ensure that the processing complies with the requirements of the GDPR and the LOPDGDD, guaranteeing and being able to demonstrate the protection of data subjects' rights.
The Guide consists of three sections: the first contains a description of the fundamentals of risk management for rights and freedoms; the second includes a basic methodological development for the application of risk management; and the last section focuses on cases in which an DPIA needs to be carried out, with the necessary guidance.
Likewise, together with the Guide, the AEPD has published on its website the link to access the tool EVALUA_RIESGO RGPD, a tool to help entities to identify the risk factors present in the processing; to make an initial assessment of the intrinsic risk, including the need to carry out a DPIA, and to estimate the residual risk if measures and guarantees are used to reduce these risks.
The AEPD points out that the risk factors displayed in the tool are not exhaustive in nature, so the data controller must identify those that are specific to the processing, which are the object of analysis, and include them in its assessment. Furthermore, the evaluation of the level of risk for each factor carried out by the tool, as well as the final calculation, is of a general nature and represents a minimum assessment that will have to be adjusted by the data controller to the specific case, in order to accurately determine the level of risk of the processing.
Once again, the AEPD recalls the importance of analysing the risks inherent in each of the processing activities carried out, making this new guide and tool available to citizens to facilitate compliance.