What is a data protection impact assessment (DPIA) and when should we complete one?

So you are thinking about starting a new data processing project or making changes to existing processing. Before you start to process the personal data, you need to consider whether you need to undertake a data protection impact assessment (DPIA).

DPIAs must be undertaken wherever the processing you are doing is likely to result in a high risk to the rights and freedoms of individuals. The GDPR sets out 3 situations in which a DPIA will be required:

  1. Extensive, systematic profiling, with significant effects on individuals
  2. Processing criminal offence data or special category data on a large scale
  3. Large scale, systematic monitoring of a public area

An example of processing which would fall within number 2 above might be a large company introducing access to its buildings based on facial recognition.

The list in the GDPR is, however, not exhaustive. To help identify processing that is likely to be high risk, regulators have issued lists of processing operations they consider to be high risk. The European Data Protection Board has also issued guidelines, including criteria which may indicate the processing is high risk.

It is a good idea to have a checklist of relevant factors that you can refer to when starting a new project so that you can quickly establish if a DPIA is needed. It will also help you justify your reasons for not undertaking a DPIA if you decide one is not needed.

So what is a DPIA? A DPIA is a risk assessment of the processing which will help you to:

  • Create a systematic description of the processing
  • Consider whether the processing is both necessary and proportionate
  • Record the results of consultation with data subjects about the processing
  • Assess the risks to the rights and freedoms of data subjects
  • Consider appropriate measures to address and mitigate those risks and assess how effective that mitigation might be

A DPIA might, for example, reveal the need to update your privacy notices with the new processing, it might make you realise that you need to invest in increased security for the processing or that you need to review your processes around data subjects’ rights, to ensure these can be effectively exercised.

If you have a DPO, you should ensure they are aware of the DPIA and they provide and record their advice in relation to it.

Developing an easy-to-use template document will help you to make sure you cover all the necessary elements, create consistency in approach and, in time, should cut down on the amount of time spent completing DPIAs.

When you have completed the assessment, the next step will be to put together an action log and to ensure all the mitigation actions are clearly set out, with owners, and dates for completion. A DPIA is a living document and so should be regularly reviewed and must be updated if there are any changes in the processing.

If there are any high risks that remain, you will need to consult the relevant regulator(s) before proceeding.

If you fail to complete a DPIA where this is required by law, you risk significant fines. Even where a DPIA is not required, it is good practice to undertake a risk assessment and it is a great way of helping you to comply with your wider obligations under data protection law.

If you would like help in setting up a process for assessing whether a DPIA is needed and a procedure for carrying one out or you need advice on a specific DPIA, please get in here.


Don't just take our word for it