Data Protection Impact Assessments

What Is a Data Protection Impact Assessment?

A Data Protection Impact Assessment (DPIA) is an analysis that data controllers must carry out with regard to certain data processing. A DPIA is required where the processing is likely to result in a high risk to the rights and freedoms of natural persons. They are meant to identify the risks involved in the processing, as well as ways to minimize that risk.

In particular, a DPIA should include the following:

  • A systematic description of the processing operation and, where applicable, the legitimate interest pursued by the controller
  • An assessment of the necessity and proportionality of the processing in relation to the purposes
  • An assessment of the risks to the rights and freedoms of data subjects
  • Measures to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of data and demonstrate compliance

Essentially, you must describe what you’re doing, why you’re doing it, what risks are involved, and how you will address those risks. Rather than approaching it as a rubber-stamp exercise, controllers should use DPIAs as an opportunity to carefully consider their higher-risk processing activities and prevent problems from arising in the future.

When Is a DPIA Required?

As stated above, controllers must carry out a DPIA when the processing is likely to result in a high risk to the rights and freedoms of data subjects. That standard is a bit vague, but there is some guidance as to what it means.

First, the GDPR itself gives three examples of processing that automatically requires a DPIA:

  • Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
  • Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offenses
  • Systematic monitoring of a publicly accessible area on a large scale

It’s important to note that these are not the only processing activities that require a DPIA; they are just examples. To further help controllers decide when they must complete a DPIA, the European Data Protection Board has identified the following criteria as indicators of high risk:

  • Evaluation or scoring
  • Automated decision making with legal or similar significant effect
  • Systematic monitoring
  • Sensitive data or data of a highly personal nature
  • Data processed on a large scale
  • Matching or combining datasets
  • Data concerning vulnerable data subjects
  • Innovative use or applying new technologies
  • Preventing data subjects from exercising a right or using a service or contract

When using these criteria, the general rule is that a DPIA is likely required if two or more apply to a particular processing activity. That is not a strict rule, however; there may be situations where meeting just one of these criteria triggers the need for a DPIA. If you carry out this analysis and decide that a DPIA is not required, it is a good idea to document this decision and your reasoning.

What Do You Do With a Completed DPIA?

Once you have finished a DPIA, you are not required to share it with the public; in most cases you are only required to keep it on hand and produce it upon request to the data protection authorities. In some cases, however, you must submit the DPIA for approval by authorities before commencing or continuing the processing activity in question.

This extra step is required when the DPIA indicates that the processing does indeed involve a high degree of risk and there is no way to reduce that level of risk. In that case, the relevant data protection authority will review the DPIA and then either accept the proposed processing activities, suggest mitigating measures, or warn against proceeding with the processing.

Beyond this, it’s important to update the DPIA as the circumstances of the processing change.

External Resources

Information Commissioner’s Office (UK) Guidance on DPIAs

DPIA template from the ICO (Word document)

European Data Protection Board guidance on DPIAs (PDF)

This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.