The General Data Protection Regulation (GDPR) provides an obligation to conduct a data protection impact assessment (DPIA) for certain high-risk processing of personal data. This is more often the case in practice than one might think at first glance. A DPIA may be required not only for video surveillance but for everyday operations in companies such as for the use of Microsoft 365 or other cloud services. The implementation of new obligations for the protection of whistleblowers resulting from the new Whistleblower Protection Act also regularly necessitates a DPIA.
Microsoft 365 and other cloud services
The use of Microsoft 365 continues to be permissible under data protection law in public bodies and companies, provided certain precautions are taken. This is also true for many other cloud services. However, the sheer volume of data processed and the data protection risks involved in the use of cloud services often necessitate DPIAs, which can also serve as an elementary building block of data protection compliance.
Many companies are currently concerned about data protection when implementing the Whistleblower Protection Act. If an enterprise has more than 50 employees, an obligation exists to set up internal reporting channels. Companies with generally 50 to 249 employees have until 17 December 2023 to do so. For all others, the obligation exists three months after the promulgation of the law in the Bundesgesetzblatt, the federal law gazette. Whistleblower reports may contain sensitive data relating to the whistleblowers themselves, but also to the persons who are accused of possible violations of the law. Particularly if internal reporting channels are digital, a DPIA makes sense and is usually required by law.
What do companies face if they do not comply?
If a DPIA is not carried out, even though it is required by law, there is a risk of fines from the data protection supervisory authorities. For example, a fine of EUR 1.1 million was imposed on an automotive manufacturer in 2022 for several data protection violations. One of the data protection violations reprimanded was a lack of a DPIA. Furthermore, it is in the well-conceived self-interest of companies to conduct DPIAs in cases of risky processing operations. In the event of investigations and queries by the data protection supervisory authorities, a DPIA provides comprehensive documentation that can be used to demonstrate data protection compliance in the company.
Data protection impact assessments in practice
Article 35(7) GDPR explicitly regulates what assessments must contain. This includes, at a minimum, a systematic description of the planned processing operations, an assessment of the proportionality and risks to data subjects, and planned mitigation measures to address the risks. For more information, see our one-page report on privacy-compliant use of Microsoft 365.back