Data protection processes

Good practices include

• comprehensive specification of requirements, for example, in procurements and operational development
• preparing a data protection impact assessment
• data protection agreements and annexes for stakeholders
• committing supply chain organisations to produce and comply with data protection principles.

Data protection agreements and annexes concerning data protection must ensure that the contracting partners and stakeholders commit to ensuring data protection in their own subcontracting chains.

Personal data is also transferred between controllers and processors For example, organisations producing information systems are processors to whom data is transferred when deploying information systems. In some situations, controllers also disclose personal data to other controllers.

Personal data is usually processed in information systems that the controller does not produce. Subcontracting chains are often long, and data protection is the responsibility of many actors who may have varying data protection practices. In fact, you should involve representatives of all actors involved in the processing chain, i.e. the processors, in the Data Protection Impact Assessment.

If the controller (such as a wellbeing services county) has not built an information system in the cloud service where it processes personal data, you should involve the following parties in the impact assessment:

1. a representative of the processor (such as the information system’s supplier), and
2. a representative of the possible sub-processor under the processor (such as the technical provider of the cloud service).

When calling for tenders for systems or services that require an assessment by the data protection officer, involve your organisation’s data protection officer in the procurement process well in advance before signing the agreements.

When you involve the data protection officer at the right time, the data protection officer will have enough time to sufficiently familiarise themselves with the agreements that are usually extensive, and you can proceed with the procurements within the planned schedule.

If the data protection officer is contacted only a few days before the contract is supposed to be signed, and they find out that data protection has not been sufficiently taken into account, taking data protection requirements into account afterwards may delay the preparation of the agreement or the deployment of activities, or even entirely prevent the conclusion of the agreement at the last moment.

If the supervisory authority finds shortcomings in the data protection of the system after the system has been deployed, rectification of the shortcomings may require modifications. Modifications are costly for the controller organisation, which is your organisation. Sometimes it may even be impossible to make modifications.

As supplier agreements are binding, your organisation may have to pay the supplier for the system and service that is unusable due to data protection reasons for the duration of the agreement’s term.

The Data Protection Impact Assessment describes, for example, the planned processing of personal data regarding its

• nature
• purposes of the data processing
• implementation methods.

Documentation of risks is part of all risk management, including the Data Protection Impact Assessment process. When preparing the impact assessment, you will form the majority of the required documentation.

The impact assessment must also be approved. The impact assessment is approved by a representative of the controller who has jurisdiction to decide on the purposes and means of personal data. The approval must also be documented.

Carry out a Transfer Impact Assessment (TIA) as well, if the data might be transferred to third countries. Read more about the assessment related to data transfer on this guide’s page Data protection glossary.

The data protection impact assessment differs from traditional risk management in that it focuses on the data subject instead of the organisation, its operations or its resources. For example, some personal data processing activities may be relatively risk-free for the organisation, but they pose a high risk to data subjects.

When preparing an impact assessment, you should remember that it focuses on the processing of personal data and the processes related to it. The impact assessment is therefore not an assessment of, for example, the level of information security of the information system used, although the information system may play a key role in terms of the content of the impact assessment.

Ensure that, when using impact assessment tools, the evaluators have

1. a good understanding of the planned personal data processing activities;
2. adequate knowledge of the intended processing activities, their grounds, means and purposes.

A Data Protection Impact Assessment is a risk management measure that can be useful even if it does not oblige your organisation.

Keep the organisation’s data protection officers and potential data protection specialists aware of the progress of the impact assessment.

In some situations, it may also be useful to hear the views of the data subjects on the intended processing of personal data before the approval. For example, you can ask staff or employee representatives for their views on the intended processing activities. These views should also be documented and, if necessary, updated on the basis of comments.

The Data Protection Impact Assessment must be reviewed and, if necessary, updated regularly. The assessment must be updated whenever there are changes to processing activities or the operational environment. The controller should add updating the Data Protection Impact Assessment in its annual clock concerning data protection.

• Impact assessment (Office of the Data Protection Ombudsman)Opens in a new window.
• Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 (European Data Protection Working Party, PDF)Opens in a new window.

If the data protection principles are not observed and the rights of the data subjects are not implemented in a manner that is compliant with the requirements

• the risks to data subjects increase
• the impacts and probability of risks to the controller increase.

The implementation of data subjects’ rights is the best way to ensure the management of data protection risks while minimising the impacts of risks on both the organisation and the data subject. The implementation of data subjects’ rights should therefore be regularly documented and evaluated. The documentation must also be updated on the basis of the assessment.

The implementation of rights must also be transparent to the data subjects, and they should be informed of it.

When implementing data subjects’ rights, you should remember that the data subject cannot exercise all of their rights in all situations. For example, the grounds for processing personal data may affect which data subjects’ rights are applicable to the processing.

• VAHTI hyvät käytännöt -tukimateriaali: tietosuojan vaikutustenarvioinnin alkukartoitus (Digital and Population Data Services Agency, in Finnish, DOCX)Opens in a new window.
• VAHTI hyvät käytännöt -tukimateriaali: tietosuoja - vaikutustenarviointi (Digital and Population Data Services Agency, in Finnish, DOCX)Opens in a new window.
• Tietosuojan vaikutustenarviointityökalu (Office of the Data Protection Ombudsman, XLSX)Opens in a new window.
• Tietosuojan vaikutustenarviointityökalun käyttöohje (Office of the Data Protection Ombudsman, in Finnish, PDF)Opens in a new window.
• Tietosuojan vaikutustenarviointi rikosasioiden tietosuojalain mukaan (Office of the Data Protection Ombudsman, in Finnish, PDF)Opens in a new window.

• Assessment criteria for information security in public administration (Julkri) : Recommendation and criteria (Ministry of Finance)Opens in a new window.

Using an annual clock is a good way to monitor the effectiveness and impact of processes. You can add data protection risk management to

• management’s annual clock
• the annual clock of data protection specialists, and
• the annual clock of the parties responsible for the handling processes.

The controller manages the risks related to the data protection of the organisation and data subjects. Although the data protection officer is not responsible for data protection risk management, they can provide valuable advice and support to the controller.