September 7, 2022

Data Protection Impact Assessment (DPIA) Checklist

Data Protection Impact Assessment (DPIA) Checklist


A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimize the data protection risks of a project. You must do a DPIA for any data processing operation that is "likely to result in a high risk" to individuals as stated in art.35 of the GDPR. It's also good practice to do a DPIA for any other major project which requires the processing of personal data.

Your DPIA must:

  • Describe the nature, scope, context and purposes of the processing;
  • Assess necessity, proportionality and compliance measures;
  • Identify and assess risks to individuals; and
  • Identify any additional measures to mitigate those risks.

Data Protection Impact Assessment Process

  1. Describe the nature, scope, context and purposes of the data processing.
  2. Ask your data processors to help you understand and document their processing activities and identify any associated risks.
  3. Consider how best to consult individuals (or their representatives) and other relevant stakeholders.
  4. Ask for the advice of your data protection officer (DPO) or seek legal counsel.
  5. Check that the processing is necessary for and proportionate to your purposes, and describe how you will ensure compliance with data protection principles.
  6. Objectively assess the likelihood and severity of any risks to individuals’ rights and interests.
  7. Identify measures that you can put in place to eliminate or reduce high risks.
  8. Record your decision-making in the outcome of the DPIA, including any difference of opinion with your DPO or individuals consulted.
  9. Implement the measures you have identified, and integrate them into your project plan.
  10. Keep your DPIAs under review and revisit them when necessary.

A well written DPIA should:

  • Be structured clearly, systematically and logically;
  • Written in plain English, with a non-specialist audience in mind, explaining any technical terms and acronyms we have used;
  • Be scheduled for review whenever you change the nature, scope, context or purposes of the processing; and
  • Be attached with any relevant additional documents you reference in your DPIA, e.g. privacy notices, consent documents.
  • Confirm whether the DPIA is a review of pre-GDPR processing or covers intended processing, including timelines in either case;
  • Explain why you needed a DPIA, detailing the types of intended processing that made it a requirement;
  • Demonstrate the relationships between controllers, processors, data subjects and systems;
  • Ensure that the specifics of any flows of personal data between people, systems, organisations and countries have been clearly explained and presented;
  • Explicitly state how you are complying with each of the data protection principles under General Data Protection Regulation (GDPR) and clearly explained your lawful basis for processing (and special category conditions if relevant);
  • Explain how you plan to support the relevant information rights of your data subjects;
  • Identify all relevant risks to individuals’ rights and freedoms, assessed their likelihood and severity, and detailed all relevant mitigations;
  • Explain sufficiently how any proposed mitigation reduces the identified risk in question;
  • Show evidence of your consideration of any less risky alternatives to achieve the same purposes of the processing, and why you haven't chosen them;
  • Give details of stakeholder consultation (e.g. data subjects, representative bodies) and include summaries of findings; and
  • Record the advice and recommendations of your DPO.

DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions. The information presented on this website may not reflect the most current legal developments. An attorney should be contacted for advice on specific legal issues. The implementation of a data protection law compliant Consent Management Platform (CMP) is ultimately at the discretion of the respective data protection officer (DPO) or legal department.