Privacy Policy Assessment for Software Projects: A Guide to GDPR-compliant Software

The most important thing in the short term: A data protection impact assessment (DSFA) is according to Art.

35 GDPR mandatory if the processing of personal data involves a high risk, such as profiling, biometric data or large-scale monitoring.

The process includes risk assessment, action planning and documentation and should start at the design stage of a software project.

In today's digital world, the development of software is inseparably linked to the processing of personal data. Since the introduction of the General Data Protection Regulation (GDPR) in 2018, companies are more than ever required to ensure the protection of these data. A central tool that the GDPR provides for risk assessment is the privacy impact assessment (DSFA). But what exactly hides behind it and when does it become relevant for a software project? This article provides a complete overview and shows how a DSFA contributes to the development of DSGVO konformer Software.

What is a privacy impact assessment (DSFA)?

Short: The Privacy Policy Assessment, in accordance with Article 35 of the GDPR, is a process for describing, evaluating and controlling the risks to the rights and freedoms of natural persons arising from the processing of their personal data.

The Privacy Policy Assessment, in accordance with Article 35 of the GDPR, is a process for describing, evaluating and controlling the risks to the rights and freedoms of natural persons arising from the processing of their personal data.

It is a preventive measure which must be carried out before the start of a new or substantially changed data processing.

The aim is to identify potential data protection risks at an early stage and to minimize them by appropriate measures.

A DSFA is therefore an essential component of the principle of “data protection through technology design and data protection-friendly defaults” (Privacy by Design and by Default).

When is a DSFA necessary for your software project?

Short: The GDPR does not require a DSFA for any data processing.

The GDPR does not require a DSFA for any data processing.

The obligation to carry out is always established if a form of processing, in particular when using new technologies, is likely to result in a high risk for the rights and freedoms of natural persons due to the nature, scope, circumstances and purposes.

The GDPR itself mentions some examples in which a DSFA must be carried out.

## Rule Examples from the GDPR

Short: Article 35(3) of the GDPR lists three cases in which a DSFA is obligatory:

Article 35(3) of the GDPR lists three cases in which a DSFA is obligatory:

• Systematic and complete assessment of personal aspects of natural persons, based on automated processing including profiling, which in turn serves as the basis for decisions, develop legal effects towards natural persons or impair them in a similar way.
• Current processing of special categories of personal data (e.g. health data, political opinions) or data on criminal convictions and criminal offences.
• Systematic broad monitoring of publicly accessible areas.

## The criteria of supervisory authorities

Short: In order to clarify the general clause of the "high risk", European data protection supervisory authorities have published a list of criteria.

In order to clarify the general clause of the "high risk", European data protection supervisory authorities have published a list of criteria.

If two or more of these criteria apply to a processing process in your software project, a DSFA is usually to be performed.

In case of doubt, a DSFA will always be implemented.

Criterion	Description
Scoring/Profiling	Assessment or classification of persons, including profiling.
** Automated decisions	Decisions that follow legal consequences for affected persons or significantly affect them.
Systematic monitoring	Monitoring, monitoring or control of affected persons.
** Special data categories	Processing sensitive data such as health data or biometric data.
** ** Large size**	Processing of data to a large extent.
Data recovery	Combination or reconciliation of records.
Protective persons	Processing of data from persons in a weaker position (e.g. children, workers).
** New technologies	Using innovative technologies or organizational solutions (e.g. AI, IoT).
** ** Third country transfer**	Data transmission to countries outside the EU/EEA.
** Legal exercise change	Processing that prevents persons concerned from exercising their rights.

Implementation of a DSFA in practice

Short: A DSFA is not a unique event, but an iterative process.

A DSFA is not a unique event, but an iterative process. It should be integrated as early as possible into the life cycle of a software project.

The GDPR does not provide a rigid method, but the following four steps have proven themselves in practice.

## The 4 central steps of a DSFA

Short: Systematic description: A detailed description of the planned processing operations, the purposes of processing, the actors involved and the systems used.

Systematic description: A detailed description of the planned processing operations, the purposes of processing, the actors involved and the systems used.Two. **Assessing the necessity and proportionality:**Asssess whether the processing is necessary and appropriate to achieve the purpose.

An analysis of potential risks to the rights and freedoms of the persons concerned (e.g. discrimination, identity theft, financial loss).

4. ** Planned remedial measures: The establishment of technical and organisational measures (TOMs) to address and minimize the identified risks.

The advantages of a proactive DSFA for the development of GDPR conformer Software

Short: The implementation of a data protection impact assessment should not only be regarded as an annoying duty exercise.

The implementation of a data protection impact assessment should not only be regarded as an annoying duty exercise. Rather, it offers considerable advantages.

It not only helps to avoid sensitive fines, but also contributes significantly to the development of high-quality and trustworthy software.

A proactive DSFA shows that a company takes data protection seriously, which strengthens customer and user confidence.

Finally, the development of DSGVO konformer Software is a clear quality feature and a competitive advantage.

Conclusion: With Groenewold IT Solutions safe by DSFA

Short: The Privacy Policy Assessment is an indispensable tool to ensure compliance with GDPR in software projects.

The Privacy Policy Assessment is an indispensable tool to ensure compliance with GDPR in software projects.

It enables a systematic discussion of data protection risks and helps to develop solid and DSGVO-compliant software from the outset. However, the complexity of a DSFA requires deep legal and technical expertise.

Groenewold IT Solutions is your competent partner when it comes to developing customized and data protection-compliant software.

We support you not only in the technical implementation, but also in the implementation of data protection impact assessments.

Our team of experts ensures that your software project is based on a solid data protection foundation from the outset.

Contact us to learn more about how we can make your next project safe and successful.

---

**Find out our Individual software development and how we can support your company.

Next consultation appointment →