Today, the Danish Data Protection Agency publishes two templates for conducting impact assessments that companies and authorities can use. One template relates to AI solutions and the other is of a more generic nature.
Companies and authorities that are required to conduct an impact assessment under data protection rules have a new tool for their daily work. Two templates for conducting impact assessments have today been published on the Danish Data Protection Agency’s website. The templates will help ensure that companies and authorities carry out sufficient impact assessments correctly and on time.
What is an impact assessment and when is it relevant?
The impact assessment is a requirement under data protection regulations. The assessment is a tool that makes it possible to work with the risks that a processing operation may entail in a systematic way. The analysis must be carried out if a processing operation is likely to result in high risks to data subjects.
New templates for conducting impact assessments
As part of its supervisory work, the Danish Data Protection Agency has found that companies and authorities in many cases face challenges in conducting impact assessments.
For example, the Danish Data Protection Agency’s mapping of the use of artificial intelligence in the public sector from October 2023 showed that authorities generally face challenges in conducting impact assessments, including conducting them in a timely manner when developing and using artificial intelligence. Also, several of the supervisory authority’s decisions relate to missing or inadequate impact assessments.
It is against this background that the Danish Data Protection Agency today publishes two new templates for conducting impact assessments. One template is of a more generic nature, and the other template specifically addresses impact assessments when developing and operating AI solutions.
The purpose of the templates is to help companies and authorities in their work with conducting impact assessments. The template for AI includes concrete examples of risks and measures that may be relevant when working to reduce these risks.
However, the catalogue of risks and measures is not exhaustive, and controllers must assess whether there may be additional risks that are relevant. It is ultimately the responsibility of data controllers to ensure that impact assessments carried out comply with data protection regulations.
The template for AI has been developed with inspiration from the UK Information Commissioner’s Office (ICO) AI and Data Protection Risk Tool Kit. This – and the ICO’s work with artificial intelligence in general – can be found here: Artificial intelligence | ICO.