On 22 May 2024, the Danish Data Protection Agency (Datatilsynet) introduced two new templates to aid companies and authorities in conducting impact assessments as required by data protection regulations. This initiative addresses challenges highlighted in Datatilsynet’s October 2023 survey, which revealed significant difficulties in performing timely and adequate impact assessments, particularly concerning AI applications.
The release includes two distinct templates:
- Generic Template: Designed for a broad range of processing activities.
- AI-Specific Template: Specifically crafted for assessing the development and operation of AI solutions. This template provides concrete examples of potential risks and corresponding mitigation measures, inspired by the UK’s Information Commissioner’s Office (ICO) AI and Data Protection Risk Tool Kit.
The AI-specific template includes a comprehensive quality assurance checklist to guide organizations through the assessment process. It emphasizes:
- Clear descriptions of processing activities and the necessity of the impact assessment.
- Systematic documentation and logical structuring of the assessment.
- Definition of roles, data flows, and compliance measures.
- Identification and assessment of all relevant risks and corresponding mitigation measures.
- Regular updates and continuous review of the assessment.
Datatilsynet’s October 2023 mapping of AI usage in the public sector identified significant challenges in conducting impact assessments. These included issues in performing assessments timely and adequately, especially for AI solutions. The new templates aim to address these challenges by providing structured guidance.
The AI DPIA template emphasizes compliance with GDPR principles, including purpose limitation, data minimization, accuracy, and security. Transparency and the ability to explain AI decisions to data subjects are also highlighted as critical aspects.
Organizations are encouraged to document specific mitigation measures for identified risks and involve domain experts in the assessment process. Clear roles and responsibilities should be assigned to ensure accountability.
If high risks cannot be mitigated, organizations must consult the Danish Data Protection Agency before proceeding. Management approval is required for the DPIA, and the views of data subjects or their representatives should be obtained where applicable.
You can find the templates here in Danish, but you can grab an automated translation into English of the AI DPIA right here. I corrected some of the terms, but of course errors can still exist.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get integrated view of the week and more information than on the blog.
