Data protection impact assessment (DPIA)
A DPIA (also called a PIA) systematically identifies and addresses the data protection impacts of new products, services or activities. Under Article 35 it is mandatory where processing - in particular using new technologies, and given its nature/scope/context/purposes - is likely to result in a high risk to rights and freedoms. Article 35(3) gives three example high-risk activities, and the WP29 guidelines list nine criteria (two or more usually means a DPIA is needed). The DPIA must contain four documented elements (Art 35(7)); the controller seeks the DPO's advice (Art 35(2)). If high risk remains unmitigated, the controller must do prior consultation with the DPA before processing (Article 36).
A DPIA is the process by which a company systematically assesses the privacy and data protection impacts of what it offers, then acts to prevent or minimise those impacts. Under Article 35 it is mandatory where a type of processing - in particular using new technologies, and considering its nature, scope, context and purposes - is likely to result in a high risk to rights and freedoms. A single assessment may cover a set of similar high-risk operations.
| Source | Trigger |
|---|---|
| Art 35(1) general test | Processing (esp. using NEW TECHNOLOGIES) is LIKELY TO RESULT IN A HIGH RISK to rights and freedoms |
| Art 35(3) example 1 | Systematic and extensive PROFILING that produces legal effects or significantly affects individuals |
| Art 35(3) example 2 | Processing SPECIAL CATEGORIES of data on a LARGE SCALE |
| Art 35(3) example 3 | Systematic MONITORING of a publicly accessible area on a large scale (e.g. CCTV, surveillance, drones) |
| WP29 guidelines | NINE criteria; meeting TWO OR MORE usually means a DPIA is required (e.g. large-scale + matching/combining data sets) |
- A systematic description of the envisaged processing and its purposes (incl. any legitimate interests pursued)
- An assessment of the necessity and proportionality of the processing relative to the purposes
- An assessment of the risks to rights and freedoms of individuals
- The measures to address the risks - safeguards, security measures and protection mechanisms
If, after the DPIA, processing still poses a high risk and there are no sufficient mitigating measures, the controller must consult the DPA before processing. The DPA has up to eight weeks to respond, extendable by a further six weeks, with power to suspend the clock while awaiting information.
When an assessment is required, the controller should seek the advice of its DPO, if one is appointed (Art 35(2)), and where appropriate seek the views of affected individuals or their representatives (Art 35(9)) on a case-by-case basis. All aspects of the assessment must be documented.