Impact assessment as an “early warning system“ for better data protection

March 17, 2016

A new white paper by the Privacy Forum – coordinated by Fraunhofer Institute for Systems and Innovation Research ISI – deals with the design and implementation of data protection impact assessments (DPIAs). DPIAs are intended to help technology providers, data protection supervisory authorities and the public to gauge the data protection risks of data processing and data processing technologies. These risks can then be minimized before processing even begins. When the General Data Protection Regulation comes into force in 2018, DPIAs will become mandatory for technology providers and system operators processing personal data. Accordingly, the White Paper – “Datenschutz-Folgenabschätzung – Ein Werkzeug für einen besseren Datenschutz“ comes at a key moment to provide early information as to the form and significance of DPIAs.

Very often, online services – for example Internet shopping, social networks or the web sites of public authorities – require the collection of personal data. So far, users have only been able to avoid this practice if they explicitly refuse to use these services or explicitly refuse to allow their data to be collected. The risks resulting from data collection remain largely unknown to the general public – despite constant media reporting on data misuse or data leaks.

In 2016, the General Data Protection Regulation will be passed. Whilst the Regulation will only come into force in 2018, preparation for its implementation will begin this year. This Regulation will make DPIAs mandatory for many technology providers and system operators prior to launching, and throughout the lifespan of, their services. However, the specifics of the DPIA mechanism remain unclear.  This is where the White Paper “Datenschutz-Folgenabschätzung – Ein Werkzeug für einen besseren Datenschutz“ by the Privacy Forum comes in. The paper elaborates first principles for the design of DPIAs and their practical implementation.

Impact assessment indicate deficiencies in data protection in good time

Dr. Michael Friedewald, who researches the impacts of new technologies on data protection and privacy at Fraunhofer ISI, and is one of the co-authors of the White Paper, emphasizes the great importance of DPIAs: “Data protection impact assessments not only make it easier to gauge the risks of existing data processing technologies, they also indicate the potential negative consequences for data protection, prior to, and during, the development stage of a technology. They are a kind of ‘early warning system’. Existing deficiencies in data protection can be recognized in good time and can therefore be rectified in the course of technology development. Therefore, 'privacy by design' can be integrated at the very moment of inception of new devices or applications”.

The DPIA will have advantages for very different target groups. In the first instance, technology providers and system operators will benefit. Using DPIAs, they will be able to better direct technological development and thereby guard against having to make costly data protection improvements later. They will also be better able to avoid data leaks and will thereby guard against their potentially high monetary and reputational costs. In turn, the public will benefit as it will be easier for them to decide – on the basis of a DPIA – which online services they want to make use of.

Data Protection Impact Assessment helps supervisory authorities to exercise their duties

In addition to technology providers and users, DPIAs will be helpful for supervisory authorities. Carrying out standardized impact assessment will make it possible to fulfill their oversight duties more diligently and will help to reveal legal infringements or weaknesses in a service’s approach to data protection.

So that data protection impact assessment can in future develop its potential it should be carried out continuously throughout a product’s life cycle. This would change current data collection practices and increase companies’ awareness of citizen rights. “Control dilemmas“ and late improvements integrating tighter data protection at the end of the development phase would then become obsolete. This would benefit everyone involved. 


In the Privacy Forum, funded by the Federal Ministry of Education and Research (BMBF), experts from different disciplines deal with issues around the protection of privacy. The project lasts for three years and is co-ordinated by Fraunhofer ISI with Fraunhofer SIT, the University Hohenheim, the University Kassel, the Eberhard Karls University Tübingen, the Independent Data Protection Centre for Schleswig-Holstein as well as the Ludwig-Maximilian University Munich as partners. The research results of the project will not only contribute to scientific discourse, but will also serve to inform the public on the state of the art in privacy protection.

The Fraunhofer Institute for Systems and Innovation Research ISI analyzes the origins and impacts of innovations. We research the short- and long-term developments of innovation processes and the impacts of new technologies and services on society. On this basis, we are able to provide our clients from industry, politics and science with recommendations for action and perspectives for key decisions. Our expertise is founded on our scientific competence as well as an interdisciplinary and systemic research approach.