Skip to content

Impact assessments and prior consultation

Preventing risks before they occur.

Are you planning an instance of personal data processing that may lead to high risk for the data subjects? If so, you must make a so-called impact assessment regarding data protection. Briefly, it is a matter of being foresighted, preventing risks and thereby protecting people's rights and freedoms. The aim is to minimise the risks in conjunction with such personal data processing that involves high risk.

About impact assessments

The purpose of an impact assessment is to prevent risks before they occur. You may need to make an impact assessment

  • before you begin an instance of personal data processing
  • if the risk associated with an ongoing instance of personal data processing changes
  • in the case of ongoing personal data processing if you have not done so earlier.

The impact assessment is a process to

  • determine what risks exist with processing personal data
  • draw up procedures and measures to meet those risks
  • demonstrate that the General Data Protection Regulation's requirements are complied with.

Start with a risk analysis

You must always make an impact assessment if your processing of personal data is likely to result in a high risk to individual people's rights and freedoms. But not everyone always needs to make an impact assessment:

  1. Analyse what risks your personal data processing may involve and suggest appropriate security measures. Document your findings so that you can demonstrate that you comply with the Regulation.
  2. On the basis of your risk analysis you then decide if you need to go further and make an impact assessment.

N.B. If in doubt, you should always make an impact assessment.

Prior consultation

If you still consider that there is a high risk with the personal data processing, you must consult Swedish Authority for Privacy Protection before you may begin the processing.

Read more about prior consultation (In Swedish)

N.B. Before you request prior consultation you must have made a thorough impact assessment that is well documented.

About the information on this page

If the information in English is different from the Swedish version of this page, the Swedish version applies.

Latest update: 16 April 2021
Page labels Data protection