What Is a Data Protection Assessment?

A data protection assessment (DPA) is a document that businesses must create before engaging in certain types of data processing. They are meant to identify and weigh the benefits to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing.

A DPA must take into account:
  • The reasonable expectations of consumers
  • The context of the processing
  • The relationship between the controller and the consumer whose personal data will be processed.
  • Safeguards that can mitigate the risks, including whether the use of de-identified data would be more appropriate

DPAs are not public-facing documents, though they must be made available to enforcement authorities upon request. In that event, the authorities must keep them confidential.



This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.