Data protection impact assessment (DPIA) under the GDPR

Data Protection Impact Assessments (DPIA) aim at an evaluation of potential risks, arising out of any new processing activity, before such activity actually takes place. Thanks to DPIA, any data-protection risks could be identified beforehand.

A controller is obliged to carry out a DPIA if its processing activities are likely to result in a high risk to the individuals’ rights and freedoms. Such high risk may occur if new technologies are used. A DPIA must be prepared before the processing takes place. If the controller has designated the DPO, it must seek the DPO’s advice when carrying out a DPIA.

A DPIA is particularly required in the following situations:

  • a systematic and extensive evaluation of personal aspects relating to individuals based on automated processing (including profiling) on which decisions are based that produce legal effects or similarly significantly affect the individual
  • processing sensitive data on a large scale
  • a systematic monitoring of a publicly accessible area on a large scale

The minimum content requirements for the DPIA:

  • a systematic description of the envisaged processing operations and purposes of the processing, including the controller’s legitimate interest (if applicable)
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • an assessment of the risks to the rights and freedoms of data subjects
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of individuals and other persons concerned

The WP29 issued the Guidelines on Impact Assessments for further clarification. It is available at: https://ec.europa.eu/newsroom/document.cfm?doc_id=44137.

Prior Consultation

Whenever processing activities pose high risk to the data subjects’ rights and freedoms, a relevant national supervisory authority must be consulted in addition to the DPIA, which has been carried out internally in an organization.