The Spanish Agency of data protection (AEPD) has published a Model of impact assessment report on data protection (EIPD) addressed to Public Administrations in order to facilitate the implementation of these assessments and developed from the Practical guide for impact assessments in data protection published by the AEPD. The model has been developed in collaboration with the ministry of work, Migrations and Social security and the centre of information security of the Computer Management of Social security.
Among the obligations that the General regulation of data protection (RGPD) obliges controllers is the need to assess the impact of treatment activities in data protection when it is likely that such treatment may lead to a high risk for the rights and freedoms of individuals.
The model collects all aspects that must be taken into account to produce a report of impact assessment, among which is the description of treatment, the legal basis which justifies, analyses of treatment, the obligation to make a EIPD or performance, as well as measures to reduce the risk, an action plan and a paragraph of findings and recommendations.
While this model is not directed at responsible make data treatments low risk, where it is not mandatory to make an impact assessment can be assessed the possibility of carrying out this analysis with other purposes, such as an in-depth study treatment; improve the overall management of processes of an organization; generate knowledge and culture of data protection, or take responsibility proactive.