4. Assess the risks and impact of processing
The hobby organiser must always assess the risks related to the processing of personal data before starting processing. If the processing is likely to involve a high risk to the data subjects, a data protection impact assessment is required. The data protection impact assessment is designed to identify, assess and manage risks related to the processing of personal data.
The impact assessment concerns risks caused by the processing of personal data and the measures required to address those risks. An impact assessment must be made when the planned processing is likely to cause a high risk to the rights and freedoms of individuals. It is intended to be a continuous process of identifying and managing risks. The impact assessment must be made before the start of processing and updated whenever necessary.
The necessary safeguards must be in proportion to the risk caused by the processing: the higher the risk, the more effective safeguards are needed. Processing special categories of personal data, children’s data, or a large volume of personal data concerning a large group of people can cause a high risk.
The level of risk is assessed on the basis of the nature, scope, frequency, context and purposes of the processing. The more extensive and regular the processing and the more sensitive the personal data, the higher the potential risk to data subjects. If an association is processing sensitive data or special categories of personal data on a large scale, it must conduct a data protection impact assessment of the processing. For example, processing the health data of club members may require an impact assessment.
The Office of the Data Protection Ombudsman has drawn up instructions to support controllers in conducting data protection impact assessments, along with a simple Excel tool that can be used for the impact assessment.
Read more: Information on impact assessments on the Office of the Data Protection Ombudsman’s website.
