Key points:
A Data Protection Impact Assessment (DPIA) is a process that identifies and minimizes data protection risks a project mandated by EU Data Protection Law.
DPIA must be performed for processing that is likely to result in a high risk to individuals (this includes some specified types of processing). It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
A DPIA must: (i) describe the nature, scope, context and purposes of the processing; (ii) assess necessity, proportionality and compliance measures; (iii) identify and assess risks to individuals; and (iv) identify any additional measures to mitigate those risks.
To assess the level of risk, organizations must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
Controllers should consult with (i) their data protection officer (if they have one) and, (ii) where appropriate, individuals and relevant experts. Processors may also need to assist the controller at this stage. If a controller identifies a high risk that cannot be mitigated, they must consult with the data protection authority before starting the processing.
Under Article 35 of GDPR:
Art. 35 GDPR Data protection Policy Template
1.Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
(c) a Shopify cookie consent of a publicly accessible area on a large scale.
4. The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.
5. The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board.
6. Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.
11. Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the Gdpr Policy Template at least when there is a change of the risk represented by processing operations.
DPIAs conducted by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or execution of criminal penalties are regulated by Article 27 of Directive (EU) 2016/680 and the requirements may vary according to member state law.