In short, a Data Protection Impact Assessment (DPIA) is a process geared towards identifying and minimizing risks associated with the processing of personal data. Risks to personal data may include anything from unauthorized access by internal or external actors to not handling personal data in accordance with the wishes of the individual. This assessment must be done when a type of processing activity is likely to result in a high risk to the rights and freedoms of an individual.
A DPIA is not required to be carried out prior to any new processing activity, but instead for activities that may present a high risk to the “rights and freedoms of natural persons”. While the definition of high risk is not quite defined, Article 35 gives some examples of specific scenarios where a DPIA is required:
A systematic and extensive evaluation of personal aspects relating to natural persons which are based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
Processing on a large scale of special categories of data subject access request referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10; or
A systematic monitoring of a publicly accessible area on a large scale.
The GDPR articulates the minimum features of the DPIA as:
A description of the processing operations and the purposes of the processing
An assessment of the necessity and proportionality of the processing operations
An assessment of the risks to the rights and freedoms of data subjects
The measures that will be taken to address the risks in order to protect personal data and demonstrate compliance
In order to meet these requirements, organizations will need to work closely with their Data Protection Officer and any other key stakeholders involved in the project through the course of the assessment. A DPIA should begin in the initial stages of a project before any data processing activities begin. The GDPR Policy Template allows for a certain level of flexibility in determining the process and orchestration of the DPIA in order to best accommodate an organization’s current practices and sector or business-specific requirements.
Leverage the guidelines described above to determine whether a DPIA is required. If there is any doubt, it is still a good idea to perform the assessment to ensure compliance is maintained.
As stated above, an assessment should be thought of as a tool for improving your processes, rather than as a cookie consent compliance exercise. Once you have your DPIA completed, it will need to be fed back into your project and should be referred to throughout. This may involve refreshing your assessment as changes are made, or if you introduce new technologies.
Although there is no legal requirement to do so, it can be useful from a transparency perspective to publish your DPIA to the public. By doing so, your organisation is essentially holding itself accountable to the public, and makes it far easier for individuals to exercise their data rights. However, some organisations will want to withhold their DPIA, either because the information contains commercially sensitive data, or simply because they do not wish to be under unnecessary scrutiny.
Data Privacy Impact Assessments are a meaningful tool for data controllers to leverage in order to ensure new projects that involve processing personal data comply with the GDPR Training . While the regulation sets forth a generic set of requirements, the criteria set forth in this blog post are customizable to the unique nature of an organization and its data processing activities.