The GDPR under Article 35 introduces the concept of a Data Protection Impact Assessment ("DPIA").

DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation

In other words, a DPIA is a process for building and demonstrating compliance.

When is a DPIA mandatory?

The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where processing is "likely to result in a high risk to the rights and freedoms of natural persons"

It is particularly relevant when a new data processing technology is being introduced.

Article 35(3) provides some examples when a processing operation is "likely to result in high risks":

"(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person12;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 1013; or
(c) a systematic monitoring of a publicly accessible area on a large scale".

A DPIA can address a single processing operation or a set of similar processing operations. This meant that a single DPIA could be used to assess multiples processing operations that are similar in terms of the risks presented, provided adequate consideration is given to the specific nature, scope, context and purposes of the processing.

The DPIA should be carries out prior to the processing this is consistent with the data protection by design and by default principles. The DPIA should be started as early as practical in the design of the processing operational even if some of the processing operations are still unknown.

Topics of the DPIA Report.

  1. A description of the envisaged processing operations and the purposes of the processing
  2. As assessment of the necessity and proportionality of the processing
  3. An assessment of the risks to the rights and freedoms of data subjects
  4. The measures envisaged to:
    1. Address the risks
    2. Demonstrate compliance with this Regulation

Objectives of the DPIA.

  • Prevent costly changes to process, redesign of systems or termination of projects
  • Reduce the consequences of supervision and enforcement
  • Improve the quality of data
  • Improve service provision
  • Improve decision making
  • Increase privacy awareness in an organization improve project feasibility
  • Improve communication with regard to privacy and personal data protection
  • Strengthen confidence of data subjects in the way personal data is processed and privacy is respected.

Originally published August 28, 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.