Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks in projects due to the processing of personal data and to minimize these risks as much and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance with the GDPR.

The evaluation of potential risks should be taken into consideration before any data collecting or processing, mostly handled by the organization’s Data Protection Officer (DPO).  Nonetheless, risk evaluation is an ongoing process and should constantly get attention when using new tools and methods (see GDPR article 35). It is all about preventing any mistake that can impact both users and the organizations.

You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

Your DPIA must:

  • Describe the nature, scope, context and purposes of the processing;
  • Assess necessity, proportionality and compliance measures;
  • Identify and assess risks to individuals; and
  • Identify any additional measures to mitigate those risks.

To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. You should consult your data protection officer (DPO) and, where appropriate, individuals and relevant experts.