Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is a process required under GDPR Article 35 to evaluate and mitigate the risks of proposed data processing activities that are likely to result in high risk to individuals’ rights and freedoms. A DPIA is mandatory when processing involves systematic and extensive profiling with significant effects, large-scale processing of sensitive data, or large-scale systematic monitoring of publicly accessible areas (such as CCTV). Supervisory authorities may also publish lists of additional processing operations that require DPIAs.

A DPIA must include a systematic description of the processing operations and their purposes, an assessment of the necessity and proportionality of the processing in relation to the purposes, an evaluation of the risks to data subjects’ rights and freedoms, and the measures planned to address those risks. The DPO’s advice must be sought during the DPIA process. If the assessment reveals that processing would result in high risk that cannot be mitigated, the organization must consult with the supervisory authority before proceeding. DPIAs should be reviewed and updated when processing operations change.