The Spanish Data Protection Agency (SDPA) which aims to protect and promote the rights and freedoms of Spanish citizens has published two guidance documents as follows:

  1. Guidance on Risk Analysis in the Processing of Personal Data ("Risk Analysis Guidance").
  2. Guidance on Impact Assessments ("Impact Assessment Guidance").

The Risk Analysis Guidance aims to support organizations that cannot use other tools provided by the SDPA. The Risk Analysis Guidance includes an adequate methodology to assess the level of risk in relation to any processing of personal data carried out. Additionally, it includes different templates and annexes to assist these organizations. The results of such risk analysis can then be used to determine whether it is necessary to carry out an impact assessment.

Impact assessments are the identification of risks that any system, product or service may imply for the citizens' rights and freedoms. When performing an impact assessment, the organization must therefore know not only what data is being collected but also precisely how it will be used. The purpose of carrying out an impact assessment is to help organizations manage those risks before they arise. The Impact Assessment Guidance therefore provides support to organizations to identify those activities that may imply a high risk, and to establish control measures in the form of an action plan to minimize such risk, before carrying out any processing of personal data.