DPIA: When to Conduct an Impact Assessment

What is a DPIA?

A Data Protection Impact Assessment (DPIA) is a process designed to identify and minimize the data protection risks of a project or processing activity.

When is it Mandatory?

GDPR requires a DPIA when processing is "likely to result in a high risk to the rights and freedoms of natural persons". This includes:

Mandatory Cases

1. Systematic and extensive evaluation: profiling with significant effects
2. Large-scale processing of sensitive data: health data, biometric data, etc.
3. Systematic monitoring of public areas: large-scale video surveillance

High Risk Indicators

• Evaluation or scoring
• Automated decisions with legal effects
• Systematic monitoring
• Sensitive or highly personal data
• Large-scale processing
• Matching of data sets
• Data of vulnerable subjects
• Innovative use of technologies
• Processing that prevents exercise of rights

DPIA Methodology

1. Processing Description

• Nature, scope, context and purposes
• Data processed and subjects involved
• Data flows and systems used

2. Necessity and Proportionality Assessment

• Adequate legal basis
• Data minimization
• Retention periods

3. Risk Identification

• Risks to data subjects
• Likelihood and severity
• Risk sources

4. Mitigation Measures

• Technical measures
• Organizational measures
• Guarantees and safeguards

5. Documentation and Review

• Assessment record
• Implementation plan
• Periodic reviews

Prior Consultation

If after the DPIA the residual risk remains high, you should consult the supervisory authority before starting the processing.

Conclusion

DPIA is an essential accountability and risk management tool. When well executed, it protects both the organization and data subjects.