The spanish data protection (AEPD) has published a Report of impact assessment in data protection (EIPD) addressed to Public Administrations in order to facilitate the realization of these evaluations and developed from the Practical guide for impact assessments in data protection published by the AEPD. The model has been prepared in collaboration with the ministry of labour, Migration and Social security and the centre for information security management of Social security.
Among the duties of the General Rules on data protection (RGPD) imposes on the treatment is the need to assess the impact of activities for the treatment of data protection when it is likely that such treatment may lead to a high risk for the rights and freedoms of others.
The model collects all aspects that must be taken into account in preparing reports of impact assessment, which include description of treatment, the legal basis for it, the analysis of treatment, the obligation to fulfil a EIPD or performance, as well as measures for the reduction of risk, a plan of action and a section on conclusions and recommendations.
While this model was not aimed at responsible to make data treatments of low risk, in those cases in which it is not required to make an impact assessment can be assessed the possibility of carrying out this analysis for other purposes, such as in-depth study of a treatment; improving the overall management of the processes of an organization; to generate knowledge and culture of protection of data, or an exercise in responsibility proactive.