The assessment of risks associated with the Processing of personal data plays an important role in the Data protection a central role. A key instrument in this context is the so-called Threshold analysis: A preliminary examination that decides whether a Data protection impact assessment (DSFA) according to Art. 35 GDPR is necessary. The question regularly arises in practice, especially for data protection officers and compliance officers: When should a threshold value analysis be carried out, how does it work and how can it be reliably assessed whether there is an "expected high risk"? This article provides practical answers to these and other questions and shows how threshold value analyses can be integrated into the data protection organization in an effective and legally compliant manner.
What is a threshold value analysis?
A threshold value analysis (English: threshold analysis) denotes a Prior risk assessment in data protection. Before any new data processing is started or significantly changed, the Responsible persons, whether the threshold for "high risk" is exceeded. If this is the case, Art. 35 GDPR a detailed Data protection impact assessment (DSFA) can be carried out. The threshold value analysis is not expressly mentioned as a term in the lawbut follows from Art. 35 para. 1, 3 and 4 GDPR. It is basically a Upstream risk analysiswith which the current Risk level one Processing is determined.
The Risk to the rights and freedoms of natural persons at the center. In other words, the possible negative consequences for those affected, such as discrimination, identity theft, financial losses or reputational damage (see recital 75 GDPR).
A risk is typically determined by two factors: Probability of occurrence and Damage severity of an event. Put simply, the more probable and the more serious the potential damage to Affected parties the higher the risk. The threshold value analysis therefore asks: Is this risk likely to reach a high level? If not, the Processing can manage without DSFA. If you do, a DPIA is mandatory.
What is the difference between threshold value analysis, risk analysis and Data protection impact assessment (DSFA)?
These terms are closely related, but have different Functions in data protection management:
- Threshold analysis is a Formalized risk assessment in the run-up to a DPIA. It essentially focuses on the question "Yes or no: is there a high risk?". Here, therefore not The potential risks are not analyzed down to the last detail, but are roughly classified on the basis of criteria. The threshold value analysis is therefore Part of risk management of a responsible person and serves the Decision makingwhether a more comprehensive investigation (DPIA) is necessary.
- Risk analysis is often used as a general term and can refer to both the threshold analysis and the detailed risk analysis as part of the DPIA. In principle, the GDPRthat Responsible persons the risks of their processing activities continuously evaluate and manage - regardless of whether a DPIA obligation exists or not. Each Processing involves certain risks that can be minimized by Technical and organizational measures must be mastered. In this respect, the Risk assessment an ongoing process in data protection management. Risk analysis in the narrower sense (e.g. analogous to the Protection needs analysis in the IT security) includes the Identification of riskswhich Assessment of probability of occurrence and amount of loss and the Definition of measures for risk treatment.
- Data protection impact assessment (DSFA) is the Detailed investigation and management of high risks. If the threshold value analysis has shown that a high risk is likely to exist, the DSFA is carried out. Detail. The DPIA is a structured procedure, the content of which is set out in Art. 35 (7) GDPR. GDPR is specified. It typically includes: a precise Description of the process, an evaluation of the Necessity and proportionality the Processinga In-depth risk analysis (which specific risks exist for which rights?), and the Definition of measures to manage these risks. The result is a DSFA reportwhich contains all findings and Risk minimization measures documented. Part of the DPIA can also be a Feedback from the data protection officer and if a high residual risk remains despite measures, a Consultation the Supervisory authority (Art. 36 GDPR).
Reading tip: When must a Data protection impact assessment (DSFA) take place?
When is a threshold value analysis not necessary?
After the GDPR is a Data protection impact assessment "always required when a planned Processing personal data is likely to result in a high risk to the rights and freedoms of natural persons". In practical terms, this means that before A threshold value analysis must be carried out when a new data processing system is commissioned or an existing one is significantly modified in order to assess precisely this high risk. Article 35 GDPR explicitly mentions some cases in which a DPIA must be carried out in any case. These include in particular
- Profiling and automated decision-making with a significant impact (e.g. fully automated credit scoring systems),
- Extensive Processing Special categories of personal data (sensitive data such as Health databiometric data, etc.),
- Systematic, extensive surveillance of publicly accessible spaces (classic example: Video surveillance large areas).
If there is a planned Processing in one of these categories, the DPIA obligation is clear. The threshold analysis then merely confirms the obvious finding.
In addition, Art. 35 para. 4 GDPR the supervisory authorities, Lists of processing operations for which a DPIA is required. In Germany, there are such Blacklists both for the non-public sector (adopted by the Data protection conferenceDSK) as well as for public bodies (issued by the BfDI). For example, the Blacklist scoring systems, big data analyses of customer data or extensive monitoring measures as subject to the DPIA. It is therefore always advisable to check whether the planned Processing is on such a list.
Note: On so-called Whitelists (Lists of processing operations that not DSFA), as practically any process can become risky depending on the context. Instead, the principle of Case-by-case examinationFor each new Processing the risk should be assessed individually.
When must a threshold value analysis be carried out?
In all other cases where there is no clear obligation, the threshold value analysis is the method of choice for making a decision, whether a DPIA is necessary. As a guideline, the Article 29 Working Party (now the EDPB) has nine criteria which are indicators of a high risk. As a rule, the combination of at least two of these criteria point out that a DPIA must be carried out. These criteria include, among others:
- Automated decisions with legal effect or similar significant effect,
- Systematic monitoring (especially if secretly or on a large scale),
- Processing sensitive data or criminal data (Art. 9 and 10 GDPR) - especially if extensive,
- Large-scale data processing (many Affected partieslarge amounts of data, long period of time, large spatial extent),
- Merging data records from various sources, which the Affected parties originally provided for different purposes,
- Data on particularly vulnerable persons (e.g. children, patients, employees in dependent relationships),
- Use of new or innovative technologies or processes (e.g. AI systems, tracking technologies),
- Processing operations that prevent data subjects from exercising their rights or exclude them from a service (e.g. a scoring that determines access to a service).
If several of these risk factors apply, the threshold for high risk is usually exceeded. In practice, supervisory authorities tend to recommend proactively carry out a DPIAespecially if qualitative significant risks are identifiable. It is better to set up an impact assessment at an early stage than to run the risk of a data protection breach. Important: A DPIA must always before Start the high-risk Processing be completed (see Art. 35 para. 1 GDPR - "to be carried out in advance"). Therefore, the threshold value analysis should already take place in the planning phase of new projects.
How do you carry out a threshold value analysis in practice?
A threshold value analysis is carried out structured in several steps. Data protection and compliance officers can use the following tried-and-tested procedures as a guide:
Step 1: Description of the Processing and general conditions
First, the planned processing operation is described as specifically as possible: Which data are provided by to whom, where, like and for what purpose processed? This description should be compared with the record of processing activities. It is also important to Documentation the Legal basis (Art. 6 GDPR, if applicable Art. 9 GDPR for special data) and the Earmarking of the data processing. Without a sound legal basis, the Processing not take place at all - in such a case, the DPIA is unnecessary because the project would be inadmissible anyway.
Step 2: Preliminary check for obvious exceptions or obligations
You then check whether a Derogation applies or a clear DPIA obligation has already been established. In some countries (e.g. Austria) there is a White-List-Regulation, which exempts certain processing operations from the DPIA obligation. If such an exemption is applicable, the threshold analysis can end here. The process must then be documented (including reference to the exception) and a DPIA is not necessary. Conversely: If the Processing on an official Black-List (mandatory list), you can start directly with the DSFA and the threshold value analysis is only used for the Documentation of the high risk. In all other cases, the detailed risk assessment continues.
Step 3: Systematic evaluation of risk criteria
We are now assessing the planned Processing on the basis of a catalog of criteria to possible high risks. Many organizations use Checklists or question catalogs that cover the criteria recommended by the EDSA as well as other practical aspects. Typical key questions in a threshold analysis are, for example
- Are personal aspects of those affected evaluated or profiled? (Keyword Profiling)
- Are automated decisions made that have legal effect or similar significant consequences?
- If systematic monitoring takes place - for example through Tracking or Video surveillance?
- Do we process special categories of personal data (e.g. health, religion, sexual orientation) or criminal data - and perhaps on a large scale?
- If data is stored in large scale processed (many people, large amounts of data, long storage period, broad geographical coverage)?
- If data records from different sources are merged so that Affected parties not expect this?
- Concerns the Processing Vulnerable persons? (children, employees, patients, etc. who are in a power imbalance to the person responsible)
- Come new technologies or innovative processes whose effects are still uncertain? (e.g. AI, Big Data Analytics, IoT)
- Can the Processing lead to the fact that Affected parties be prevented from exercising their rights or excluded from a service? (e.g. scoring that decides on the execution of a contract)
Each of these questions is aimed at a possible risk aspect. For each question, it should be clearly documented whether it with "Yes" (applies) or "No" is answered and why. Already a single "yes" for one of the core questions (e.g. assessment of personal aspects, Processing sensitive data or monitoring public areas) may be sufficient to assume a DPIA obligation. Particularly when it comes to very far-reaching interventions, one should tend towards a DPIA in case of doubt. In many cases, however, several affirmative criteria are an indication that the overall risk is high.
Step 4: Overall risk assessment and decision
Afterwards the Total risk of the planned Processing estimated. The results of the individual criteria are combined here. Analogous to classic risk analyses, a Risk matrix to assess the probability of occurrence and the extent of damage. It is important that this assessment Objective and justified (see recital 76 GDPR requires an assessment based on objective criteria). If the threshold analysis comes to the conclusion that No high risk this is recorded in writing. In this case none DPIA is required and the process can be started as normal (in compliance with all other GDPR requirements). However, if you come to the conclusion that a high risk is likely is present, should a DPIA is carried out immediately be made. The threshold value analysis then leads to the recommendation or obligation to carry out a Data protection impact assessment to set up.
Step 5: Documentation of the results
Transparency and traceability are also essential here: every threshold analysis should be documented in writing. Even if the result is that no DPIA is necessary. The Supervisory authority or the data protection officer must be able to understand, like the Responsible persons has made the decision. That is why Documentation at least: a description of the activity, the set of criteria tested, the answers/assessments and the conclusion with reasons. In the event of an audit, a properly documented threshold analysis shows that the Responsible persons has taken its duty to weigh up the risks seriously.
Practical tip: Use existing Aids. Many supervisory authorities and data protection organizations provide checklists, test schemes or tools for threshold value analyses. For example, the LfD Lower Saxony offers a detailed Test scheme with checklist toand there is also a freely available Excel checklist from the Liechtenstein Data Protection Authority. Such resources can serve as a basis, but should always be adapted to the specific circumstances of your company.
How do you integrate the threshold analysis into the data protection organization?
In order for threshold analyses and DPIAs to be effective in day-to-day business, they should be integrated into the existing Processes and structures be embedded.
Early involvement and fixed processes: Establish clear internal Process stepsthat automatically trigger a data protection check for new projects or process changes. For example, your project management may stipulate that the data protection officer must be involved before the go-live of a new IT system and that a threshold analysis must be carried out. The person responsible and the data protection officer should ideally carry out this analysis carry out together. Train specialist departments to report new data processing to the data protection team at an early stage.
Documentation and verification: Treat the Documentation of the threshold analysis with the same care as other GDPR documentation (Processing directoryTOMs etc.). Specify, where the completed analyses are stored (e.g. in your data protection management tool) and who is authorized to release is. Make sure that each analysis contains a time stamp, details of the auditor (e.g. DPO) and a clear decision (DPIA required: yes/no + justification). These documents can be used for audits or requests from the Supervisory authority underpin your compliant decision-making process.
Derivation of measures and monitoring: A threshold value analysis should never be an end in itself. Draw conclusions from the results: If no DPIA is required, but nevertheless Increased risks have been identified (even if below the "high" threshold), consider whether preventive measures should be taken. Protective measures can be implemented. If a DPIA has been carried out, Follow up on the measures defined there and check their effectiveness. Risk management is dynamic: you should therefore continuously monitor whether the relevant Processing changes something that New risk assessment necessary. For example Technological changes (new tools, use of AI), Changes in data traffic (about Transmission to third countries following new court rulings such as Schrems II) or new purposes the Processing significantly increase a previously moderate risk. In such cases, it is advisable to perform the threshold analysis. update or to be carried out again.
Create threshold analysis with Ailance DSFA
The threshold value analysis is a Practical toolthe risk-based approach of the GDPR in everyday life. It helps data protection officers and compliance officers to focus limited resources on the really critical processing operations. By identifying potential risks at an early stage and carrying out a DPIA in good time, data protection breaches can be proactively prevented. The higher the data protection risk, the more comprehensive the protective measures should be. The threshold analysis ensures that no high risk goes unnoticed. Overall, it makes a significant contribution to making data protection practicable and verifiable, in the sense of precautionary protection of fundamental rights for those affected.
A final tip: A threshold value analysis can be carried out with our tool Ailance DSFA quickly and in a structured manner. The intuitive system guides you step by step through the evaluation of your processing operations - including risk assessment, automatic Documentation and connection to DSFA processes. We would be happy to present the functions to you in a personal meeting. You can find more information on the Ailance DSFA product page.
German 
English 
Italian 
French