Has your rent been raised? Find out more about your rights

Process for data protection impact assessments

Swiss companies should define a process for data protection impact assessments.

The answer in detail

What is a data protection impact assessment?

A data protection impact assessment is basically nothing other than a structured risk analysis. The goal is to enable responsible entitles to be able to become aware and suitably account for the risks that data processing can entail. 

When does a data protection impact assessment have to be carried out?

You are also required by law to always conduct a data protection impact assessment if the data processing may entail a high risk to the personal or fundamental rights of the data subjects. In particular, there is a high risk when using new technologies, if you process especially sensitive personal data, or systematically monitor public areas. 

How does a data protection impact assessment have to be carried out?

In general, there are various ways you can approach a data protection impact assessment. This depends on a number of factors, including the size of your company. It is important that you first carry out a data protection risk analysis and then think about risk control. Account for the following aspects in your risk analysis:

  1. Identify all data protection risks that could occur during data processing.
  2. Analyze the risks and enter them into a matrix. During the analysis, make an assessment of the damage potential and probability of occurrence. 
  3. Rate the level of risk. 

Once you have completed the risk assessment, ask yourself how you can influence these risks. You have the following options:

  1. You avoid the risk by avoiding risky activities.
  2. You transfer the risk to a partner company (insurance, outsourcing).
  3. You minimize the risk by taking flanking measures to minimize the damage potential or probability of occurrence. 

If the data protection impact assessment shows that the planned processing of data still bears a high risk for the personal and basic rights of the affected person, despite planned countermeasures, you must obtain the opinion of the Federal Data Protection and Information Commissioner (FDPIC) in advance.
You can do without a data protection impact assessment if a system, product, or service is used which was certified by a recognized, independent certification entity for the intended application. 

In addition, members of a professional, industry, or business association can forgo a data protection impact assessment if the association has a code of conduct and this has been submitted to the Federal Data Protection and Information Commissioner (FDPIC).  

Important information

The work is far from done after carrying out a data protection impact assessment. You must ensure that the implementation also goes according to plan. And you should review your assessment regularly. This way you can ensure that you can respond to changing conditions appropriately and in a timely manner. You should document this process so that, if necessary, you can show how you responded. 

Other legal tips and sample documents on the subject of data protection:
•    To the 12 most important points
•    To the next point: Analyze your agreements with subcontractors with regard to data security and add the corresponding clauses 
•    Back to the overview of all legal tips