Once your business has gained an overview of what kind of personal data you have, if necessary, you have this data, if you have a treatment, what systems data is (physical and digital), how the user management of this data is and what policies, procedures and processes you already have in place, it is time for the next phase, which is evaluation of the different areas.


Risk analysis

An assessment of the risk of the individual systems must be made. The Ministry of Justice has written that old systems should not undergo an impact assessment, but that there are only new systems. One can rightly ask the question how this should be done because a risk analysis is based on an impact assessment.

Therefore, the following sections are interesting to read anyway, as it is the same methodology used to define defined risks.

GlobalSequr’s assessment at this time is that each system writes a section about what your company considers to be at risk of the system, what mitigation measures have been taken and what the contingency plan contains of points.

Impact Assessment (DPIA)

DPIA stands for Data Protection Impact Assessment and means that you must impact new systems (non-existent systems) that meet the following characteristics:

  • If systematic and comprehensive automatic processing of personal data is performed
  • If extensive processing of sensitive information is made
  • If extensive surveillance of public areas is being undertaken

By using DPIA as a tool, you get the following benefits:

  • Risk management in relation to the processing of personal data
  • Less probability of data leaks
  • Easier to become compliant in relation to the GDPR
  • Privacy by design (also known as Security by design within IT security) and Privacy by default can become part of the development process of IT systems rather than later
  • Better overview in case of a security breach

Example of a DPIA in a company

The company is a renowned e-shop that sells clothes. Associated with the internet shop there is a customer database which contains personal data. The company has identified that the worst possible could be that the entire customer database is deleted or leaked on the Internet. This can happen either by a hacker attack or by an employee who either makes an error or intentionally wants to cause injury.

The following model graphically shows what elements constitute the overall risk:



Once the impact assessment has been prepared, your business has an overview of the risks the different systems have and you have the opportunity to implement the IT security measures.

Data Flow Analysis

If your business has many systems, data flow analysis can be the biggest task – especially if you have not tried it before.

You have to map your data effectively, understand the data flow, describe it and identify its key elements; for example, find out how data enters, changes, deletes and moves across physical and digital systems.

It is important that this analysis phase is properly structured, and you do not do more than the law prescribes, it would be enough to make an overall description.

Understand the data flow

A data stream is a transfer of personal data from one place to another, for example:

  • From a country in the EU to a country outside the EU
  • From suppliers and subcontractors to customers
  • From one system to another

Describe the data flow

Review the data life cycle to identify unforeseen or unintentional use of data. Thus, it will be easier to identify and minimize which data is being collected.

In addition, it is important to ensure that the persons using the information are informed of the practical consequences.

Identify the main elements

One of the big issues in the GDPR is how data comes in. Here are two options:

  • The company receives data (accepted by the user)
  • Collection of data (no user acceptance)

There is a huge difference in these areas, and the legislation will stifle the group that collects, links, and uses personal data as part of their business model.

The questions you want to answer when we look at your systems are:

  • What type of data is processed (name, email, address, etc.)?
  • What kind of data are these?

Personally identifiable information (e.g. name, address, phone number and email)

Sensitive data (e.g. religion, sexuality, ethnicity and union)

  • In what format is data stored?

Digital systems (describe which ones)

Physical systems (describe which ones)

  • How do you collect data?



Social Media

  • How do you share data internally and externally?
  • What places are involved in the data stream?



Third part

  • Who is responsible for your personal information?

Is it static or does it change organizationally?

How is data accessed and which management tools are there to access data?

  • Who has the access to data?

Personal data can be disposed in different locations in the organization. This can be on paper on desks, in locked cabinets, in digital systems. Thus, the first challenge is to determine which information is to be registered and in what format.

Based on the Impact Assessment (PDIA), it must be identified whether there is sufficient security about the type of personal data in question.

Security of personal data embraces 3 main areas:


Once you have completed these areas, you have to come a long way and have come a long way in terms of being compliant with the laws. At GlobalSequr we have experienced and competent employees who can complete the entire process or be project manager and quality assurance.