2021.10.15All blog posts

8 takeaways from “Ensuring effective impact assessments” with NNIT

In the latest instalment of our new webinar series Compliance Best Practices, we follow up on the topics of privacy program roles and responsibilities and how to maintain data mapping, with a closer look at impact assessments.

Joining us for our third episode are Bettina Kok and Mia Louise Bukholt from Danish IT and consulting firm NNIT. With their experience running a wide range of assessments, expert GDPR knowledge and backgrounds across a range of company sizes in both public and private sectors, Bettina and Mia were the ideal guests to give us insights and advice on improving efficacy in this area. 

When asked by host and Complyon’s Head of Customer Success, Alexandra N. B. Sigursteinsdóttir, why they’d agreed to contribute to our impact assessment webinar, Bettina replied, “Our immediate reaction was ‘Finally! Because we feel there must be more of a spotlight [on the subject]’”.

Bettina’s response reflects our observation that while impact assessments are essential components of any successful data protection plan, they can often be overlooked and under-resourced.

If you’re looking to persuade a client to take their impact assessments more seriously, or you want new tips for streamlining your process, you can watch the full webinar here.

Below, you’ll also find eight major takeaways from our discussion that explore the potential of impact assessments to transform businesses from reactive to proactive entities, helping keep their organisation’s data as safe as possible.


Timing is everything when it comes to impact assessments. Yet, as prioritisation of these assessments is typically low, businesses often fail to capitalise on the value of the process or only pick up on major issues when it’s too late. 

As emphasised by Bettina and Mia, you should always carry out your assessment prior to any form of implementation, especially regarding the DPIA. This initial screening process ensures that your timeline can continue as planned if you add a new system or subcontractor to your project. You won’t experience a stall waiting for your team to assess and approve the change, saving you time and money before entering into any contracts.

Carrying out your assessment at the right time in the project cycle also allows you to make more strategic, data-driven decisions, helping you realise the efficacy of a new solution or suitability of a third party at the start of a project rather than in the middle of it.

For instance, imagine you want to introduce a new project such as installing analytics software to track your new website metrics. Rather than picking a solution and conducting your assessment later down the line, you should carry out your DPIA beforehand.

Questions to consider would include ‘Is the purpose of the processing formally defined?’, ‘Will there be disclosed data to third countries?’ and ‘Are there high risks associated with processing personal data?’

If any of your replies are negative, it would be much less problematic to revise your plan if you haven’t already committed to or purchased your tracking software.  


Before you begin your assessment, you need to have visibility over the company’s data flow. Always break these flows down, whether using a spreadsheet or taking advantage of the advanced overviews and functionalities of purposely designed software.

Once you understand the data flow, you can then turn your attention to assigning ownership to areas of risk. You don’t need to allocate a risk per person; there can be one person in charge of several risks; just make sure you add accountability into your assessment to avoid any steps being missed. 

Software can also help you streamline the ownership process. Solutions such as Complyon give you access to features that allow you to easily assign responsibilities, keep track of a project’s progress and send colleagues deadline reminders directly within the system.

A lot of the manual effort is removed, it’s easier to keep everyone on track, and all your information is in one centralised and secure location. 


Speaking of her experience facilitating awareness, risk assessment and DPIA workshops, Mia highlighted the common issue of employees being sceptical of the need for assessments. “Why are we here? We don’t need this risk assessment” are words Mia has heard many times. 

However, in Mia’s experience, by asking the right questions, you often discover that risk scenarios have been either missed or understated. It’s not unusual for high-risk situations to emerge from processes that she was initially told contained no personal data.

Mia also brought up a common issue that many people are unaware of. Even if you don’t process data, if you have access to it or can see it, that still falls within the confines of GDPR.

For example, a company that produces clothes may feel that the only departments processing data are HR and IT (who deal with employee data) and Sales and marketing (who manage customer data). They’ll often consider those producing the clothes totally separate from anything that involves GDPR and compliance.

However, this isn’t correct. If those making the clothes send out emails, have a list of employee birthdays, upload photos to an internal HR portal or have access to a computer with consumer data on it, they are processing data or have the potential to process data. These all count as risky scenarios to consider for assessments.

Although you may be met with initial hesitation or scepticism around risk assessments, it’s important to remember that employees usually leave the process understanding more about their role and feeling a new sense of ownership over their workflow. So, while it may take some effort to change initial attitudes, keep in mind that in the end, everyone in the company benefits from the assessment. 


According to our panel, whenever you touch customer data, you should do some form of assessment. Even if it’s considered low-risk, when it comes to personal data, any risk is a threat to your company and needs to be taken seriously.

However, you don’t need to do a full-blown risk assessment for all low-risk activities. Simply document what you know and don’t know and be open and honest about how the process could potentially harm those behind the data.

Documenting low-risk scenarios helps you monitor their status, identifying if they increase in risk over time. These limited assessments can also help protect your business from fines if the situation escalates and is brought to the attention of a regulatory body.

When any organisational change occurs, it’s best practice to apply your basic GDPR questions such as: ‘What types of data are you processing?’ and ‘Is it generic, confidential or sensitive?’ 

Be sure to explain these words to the people you’re speaking to so that moving forward, they understand the risk attached to their actions and can take subsequent steps to remain compliant. 

If necessary, you can then move on to more complex areas such as customer segments or types of data subjects (e.g. individuals, employees, clients) and start digging deeper with more advanced questions. 

At this point, pre-defined templates or software are extremely useful in streamlining your process and assisting clients to become compliant at the best achievable level. 


If the result of a risk assessment is that you discover medium or high-risk scenarios and part of what’s causing the risks are the systems being used,  Bettina and Mia recommend reviewing the technical setup alongside employees with technical knowledge such as an IT Solutions Architect or Delivery Manager.

Combining technical expertise with compliance knowledge allows you to really understand a system, find where you can reduce risk, and quickly execute those changes. 

Employees with more technical knowledge will also have a different mindset that is invaluable to the assessment. While those with a legal, compliance, information security or risk background will know what changes to make, they may not necessarily have the technical knowledge of how to implement the changes they want to make. For instance, encryption and setting up compliant storage solutions often require deep and specific technical expertise.  

An added bonus to working closely with the technical team is that you’re prompting them to take a closer look at their processes, giving them the chance to optimise workflows. For instance, through your assessment, you can help determine if a system is the right one to be using and if it’s set up correctly. 


Anyone who has done an impact assessment will know that not everyone shares our interest in and enthusiasm for the process. Employees are often very busy, so they can be easily agitated if someone is adding work to their immediate to-do list.

Wherever possible, bring some patience and empathy into your encounters to make the assessment as pain-free as possible and try your best to cultivate more positive feelings about the project. 

Honesty is another key approach to consider, as often people fear that assessments might disrupt or halt their workflow. Therefore, it can be tempting not to answer your questions correctly if it means they can continue working as they please. 

Encourage people to answer with total transparency, especially if something feels like it may be risky. Assure them that you’ll work to lower the risk, which means avoiding navigating negative outcomes further down the line. 

Facilitating honesty and weathering impatience can sometimes be trickier when assessments are carried out internally. If you know the road ahead could be slightly confrontational, consider hiring an external consultant who can be completely objective and ask the tough questions. 


Perhaps one of the most pressing messages from our talk with Bettina and Mia is that impact assessments should be regarded as ‘organic documents’ that are dynamic, ever-changing and always in need of regular updates.  

While at the time you conduct them, you’re doing so using the best current knowledge; you need to remember that things change – legislations change, employees change, clients change, products change. 

This inevitable change means that you must go back and revisit your assessments whenever it’s time to do something new, such as introducing new software, working with a third-party service, or optimising a workflow. Even if you are just updating documentation, these evaluations will ensure you’re always acting with maximum compliance and minimum risk.


With impact assessments being ‘organic’ rather than static, Bettina and Mia often work with businesses to create yearly compliance wheels, helping them keep track of their progress and better monitor risk.

Involving structured processes and, in most modern scenarios, dedicated software, this approach allows companies to go back and look at their documentation at the right time to confirm if a system or process is still valid following any changes. 

Without this structured approach, a business would have to start from scratch whenever they needed to conduct an assessment, leading to more work, an increase in resources and delayed timelines. 

Compliance wheels also allow people to be more productive, focusing on areas that are likely to change instead of spending time on irrelevant questions or reviewing parts of the process that have stayed the same.

Here’s where systems come in handy again. Many have the ability to notify when it’s time to do another risk assessment and which type it should be. It may be the case that very little has changed, but in revisiting your compliance wheel and ticking a box to determine risk levels haven’t changed, you can rest assured you’re keeping company data safe and can quickly move on to your next task. 

If you’ve found our webinar on impact assessments insightful and would like to learn more about how our team and software can help streamline your processes, get in touch with our team today.

Our next line-up of Compliance Best Practices webinars is now live on our website. You can check them out and sign up here.

Want to hear more?

Let's talk about how our experience and software can help your company.