Instructions for data protection impact assessments
The purpose of these instructions is to support operational units in their performance of an impact assessment. The instructions explain what such an assessment involves, if and when one must be carried out, and how to perform it.
- Diary number: 1-282/2022
- Decision date:
- Validity period: Tillsvidare
- Decision: Head of legal office
- Document type: Instructions
- Handled by department/unit: GVS.JPE.Juridiska enheten
- Preparation with: Legal Unit and Information Security Unit
Summary of the instructions
A data protection impact assessment shall always be carried out if the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons. The purpose of an impact assessment is to anticipate risks before they arise. The impact assessment is a process for ascertaining the risks accompanying the processing the personal data, producing procedures and measures for dealing with such risks, and demonstrating KI’s compliance with the GDPR.
The purpose of these instructions is to support KI’s operational units in their performance of an impact assessment. The instructions explain what such an assessment involves, if and when one must be carried out, and how to perform it. The instructions are for everyone involved in the processing of personal data at KI. When processing personal data, the processor must decide if an impact assessment is required. Appended to these instructions is a template that can be used as a basis for the impact assessment process.