Basics of Data Protection Impact Assessment (DPIA)

Basics of Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessments (DPIA) are addressed in the GDRP. Art 35 requires that organizations shall carry out a DPIA when a processing activity is likely to result in a high risk to the rights and freedoms of natural persons. Thus, Data Protection Impact Assessment (DPIA) is a mandatory pre-requisite in a variety of cases where personal data is processed. Examples of such processing operations are systematic monitoring of individuals (like surveillance cameras in many public areas) and processing of special categories of personal data.  From the Office of Data Protection Ombudsman’s webpages you can read more, when DPIA is required.

DPIA as a Risk Management tool

Data Protection Impact Assessment (DPIA) can be defined as a risk management tool: it helps an organisation to identify, assess and minimise any “high” privacy risks in new systems, technologies or processes. Performing a DPIA is an effective tool to operationalise Privacy by Design. This means that carrying out a DPIA helps to embed privacy into product and service development. Also, DPIA is useful when assessing the privacy impacts of the continuous usage of existent systems, technologies or processes.

Involve relevant stakeholders to DPIA process

It is good to keep in mind that DPIA continuous process and it aims to identify risks and solutions, rather than a one-time produced report that demonstrates compliance. Therefore, all the relevant stakeholders should be involved in the DPIA process. DPIA helps to assist relevant stakeholders to make an informed decision regarding business operations involving personal data processing.

Many reasons to carry out DPIA

In addition to demonstrate compliance and proof that your organization has met the mandatory requirements of GDPR’s, there are also other reasons to perform Data Protection Impact Assessment. First, a well-organized DPIA creates communication amongst stakeholders. Second, DPIA can protect the reputation of the organisation by avoiding too intrusive products or services being published. Third, DPIA is a helpful tool in collaborating with internal and even external parties: DPIA is an internal check that must be passed and later this can be used in communication with authorities.

Process Overview of Data Protection Impact Assessment (DPIA)

The starting point in a DPIA process is the Records of Processing activities. This documentation would serve as a basis for the initial “threshold” assessment. After this primary risk review, if it appears that the processing activity is likely to result in high risks for the individuals’ rights, the organization should conduct a Data Protection Impact Assessment (DPIA). Also, there can be follow-up actions, such as prior consultation with the supervisory authority, in cases where the chosen controls are not able to sufficiently mitigate the risks.

Picture 1. Process Overview


The GDPR provides flexibility to determine the precise structure and form of a Data Protection Impact Assessment (DPIA) report. However, a genuine DPIA report should include, at a minimum:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes; and
  • an assessment of the risks to the rights and freedoms of data subjects.

There are various risks assessment methodologies and frameworks that can help your organization in mapping the risks. The methodology used should be appropriate for the organization’s needs and it should be built on the following key items:

  • risk analysis from the view of the data subjects;
  • likelihood and severity assessment;
  • residual risk after the implementation of mitigating measures.


Four practical tips for carrying out Data Protection Impact Assessment (DPIA)

Here are four practical tips for carrying out DPIA in your organisation:

  1. Design the right overall workflow and DPIA methodology for your project.
  2. Do it as team-work by involving all the relevant stakeholders that understand the project management cycle.
  3. Integrate this to other existent processes:
    • DPIA is not a one-time activity aimed at ticking a box;
    • Ensure DPIA is a living document and is consulted during the lifecycle of the project;
    • Revisit the DPIA once a year/ regularly.
  1. Use a third party for carrying out the DPIA for you to ensure:
    • Objectivity in risk assessment;
    • Transparency for increased accountability;
    • Training and useful insights for future DPIA processes.

If you want to discuss more Data Protection Impact Assessments (DPIA), please book time for the discussion here.

Please, take a look also at Privaon’s Data Protection Impact Assessment (DPIA) as a Service.