Data Protection Impact Assessment (DPIA)
When a Data Protection Impact Assessment is required under Article 35 GDPR, how it is conducted methodically, and when prior consultation of the supervisory authority is necessary.
A Data Protection Impact Assessment (DPIA) is a structured process for evaluating and mitigating data protection risks associated with particularly high-risk processing operations. Article 35 GDPR requires controllers to carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
When Is a DPIA Required?
Article 35(3) GDPR provides three indicative examples where a DPIA is generally required: systematic and extensive evaluation of personal aspects based on automated processing including profiling; large-scale processing of special category data or data relating to criminal convictions; and systematic large-scale monitoring of a publicly accessible area. In addition, supervisory authorities may publish lists of processing operations subject to a mandatory DPIA (positive lists) and operations that do not require one (negative lists).
Content and Methodology
The DPIA must contain at least four elements: a systematic description of the envisaged processing operations and their purposes; an assessment of the necessity and proportionality of the processing in relation to those purposes; an assessment of the risks to the rights and freedoms of data subjects; and the measures envisaged to address those risks, including safeguards and mechanisms. Where appropriate, the views of data subjects or their representatives should be sought.
Risk assessment typically follows a two-dimensional matrix of likelihood and severity of potential harm. Risk scenarios to be considered include discriminatory decisions, identity theft, financial loss, and reputational damage. For each risk identified, risk mitigation measures must be defined and implemented.
Prior Consultation
If the DPIA concludes that a high residual risk remains despite all mitigating measures, prior consultation of the supervisory authority is required under Article 36 GDPR. The authority then has up to eight weeks to provide a written opinion. Processing may not commence until after this consultation.
Recital 91 GDPR stresses that a DPIA should be carried out especially when introducing new technologies or making significant changes to existing processes. The DPIA must be documented and must be reviewed regularly to ensure that processing continues to comply with its outcome.