HELSENORGE

Data protection impact assessment (DPIA)

Norwegian

Purpose: A Data Protection Impact Assessment (DPIA) aims to describe the processing of personal data and assess whether it is necessary and proportionate. It should also help manage the risks posed by the processing to an individuals' rights and freedoms by assessing these risks and defining risk-reducing measures. A DPIA is an important tool for accountability, as it not only helps the data controller ensure compliance with the requirements of the GDPR, but also documents that sufficient measures have been taken to ensure compliance with the regulations. A DPIA should contribute to establishing and demonstrating compliance. ​

Assessment of whether DPIA should be carried out​

If it is likely that a type of data processing will pose a high risk to an individuals' rights and freedoms, the data controller must, before the data processing takes place, assess the potential impact of the data processing on privacy. This risk must be assessed before conducting a DPIA. If the risk is assessed as high, a DPIA must be conducted. 

This means, for example, that most artificial intelligence projects will need to carry out a DPIA. ​

​Implementation of DPIA

The DPIA must be conducted before the processing of personal data begins and must contain, as a bare minimum: 

  1. a systematic description of the processing activities 
  1. a description of the purpose of the processing 
  1. an assessment of whether the processing activities are necessary and proportionate to the purpose 
  1. assessment of the risks to the data subject's privacy 
  1. planned risk-reducing measures for privacy 

The DPIA must be carried out by the person/those who have day-to-day responsibility for the processing of personal data (project manager, researcher, etc.) 

It is recommended that the implementation is based on the template and guidance from Directorate for e-health [Direktoratet for e-helse]. 

Approval of DPIA​

A DPIA must be delivered to the responsible institution's data protection officer. 

The data protection officer shall advise on the assessment of the data protection impact and verify its implementation is in accordance with GDPR Article 35, including assessing and making a recommendation as to whether the risk is acceptable for the processing. 

The management of the organization need to approve the conclusion of the Data Protection Impact Assessment. 

Internal proceedings at UNN​

The data protection officer (PVO team) can advise on the implementation of the DPIA before and during the process. They are happy to meet and provide feedback and contribute when necessary. The PVO team can be contacted by email via personvernombudet@unn.no

When the DPIA has been completed, the PVO team at UNN will review the DPIA and possibly provide feedback to the project manager or establish assumptions in the recommendation. It is then sent to the data protection officer who reviews it, and possibly recommends the processing, and signs it before it is sent to the management (centre manager at the Research and Education Centre [Forsknings- og utdanningssenteret]) for approval. 

Internal proceedings at UiT​

For research projects that need to carry out a DPIA, Personal Protection Services at Sikt can assist with the preparation of these assessments. 

When a proposal for a DPIA has been drawn up, it is sent to the Department for Research, Education and Communication [Avdeling for forskning, utdanning og formidling ] (FUF). 

UiT has its own DPIA group, which also includes the data protection representative. FUF leads this. The group assesses the DPIA and makes a recommendation to the director of administration whether the DPIA should be approved or not, alternatively with reservations. The group can also send questions or even the entire DPIA back to, for example, the project if there are deficiencies which would mean that a recommendation could not  be given at that point. 

For further information about the DPIA at UiT, see here. ​

Examples of completed DPIAs​​

For inspiration and guidance, it is possible to contact the data protection officer at UNN to get examples of some implemented DPIAs at UNN. However, it is emphasized that all project leaders must make individual assessments regarding the data protection impact. A DPIA that is simply copied from an other DPIA will be rejected. 

This guide is based on the procedure PR54703 in Docmap. ​