Instructions for data protection impact assessments

The purpose of these instructions is to support operational units in their performance of an impact assessment. The instructions explain what such an assessment involves, if and when one must be carried out, and how to perform it.

A data protection impact assessment shall always be carried out if the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons. The purpose of an impact assessment is to anticipate risks before they arise.

The instructions are for everyone involved in the processing of personal data at KI. When processing personal data, the processor must decide if an impact assessment is required.

Appended to these instructions is a template that can be used as a basis for the impact assessment process.