Privacy Impact Assessment

An essential innovation of the General Data Protection Regulation (GPDR) is the instrument of the so-called Data Privacy Impact Assessment (PIA). The PIA is an important component of the newly introduced concept of the "risk-oriented approach" to data protection, which runs like a red thread through the DS-GVO. Especially in the case of processing of personal data where there is a high risk for the data subjects, a DSFA should ensure that targeted measures can be found to contain this risk.

Thus the risk-oriented approach of the GDPR provides a selection of the "correct" (i.e. effective and suitable) technical and organizational measures for the protection of personal data. In everyday life, this means that entities responsible can reduce or contain risks for the rights and freedoms of individual persons (e.g. customers, users, employees) by selecting suitable measures. The necessity of a technical or organisational measure thus depends on the "risk level", i.e. on the amount of possible damage to the person in question if the risk occurs during the processing of personal data.

Risk levels

A risk in the sense of the GDPR is the existence of the possibility of the entrance of an event that itself represents a damage (including unjustified impairment of rights and freedoms of natural persons) or can lead to a further damage for one or more natural persons. It has two crucial dimensions: The first is the severity of the potential damage and the second is the likelihood that the event and the consequential damage will occur.

The GDPR describes three risk levels in different places, which must be formally distinguished: "Low risk", "Risk" and "High risk".