Impact assessment
Is an impact assessment needed?
If the processing of personal data is likely to lead to a high risk to the rights and freedoms of natural persons, we are obliged under the General Data Protection Regulation to carry out a so-called impact assessment.
Situations where an impact assessment may be required are, for example, when processing sensitive personal data, data that is highly personal, or processing on a large scale. It may also be required in the case of processing where personal data from two or more sources are combined in a way that the data subject does not expect (for example, when combining registers). Additional instances where this may be required are when processing data on persons who are at a disadvantage or in a position of dependency for any reason and are therefore vulnerable (e.g. children, employees, asylum seekers, elderly or patients).
To support knowing whether an impact assessment needs to be carried out, the needs assessment template is used. You can of course contact the data protection officer as well.
For each heading there are explanations, if you do not want to see the explanation, click on the "arrow mark" next to the heading. If an impact assessment is required, the template below should be used, it works in the same way with explanations.
Remember that the impact assessment that has been carried out must be registered and marked as confidential. If you need further guidance when carrying out the impact assessment, read IMY's practical guide "Guidance in impact assessment"
Template for impact assessment
One of the steps in the impact assessment is to make a risk assessment, and for that step the template below is used.
Risk management in impact assessment