Module 10 · Data protection impact assessment (DPIA, Articles 35 and 36)
A DPIA has two values: incorporate data protection into planning and demonstrate compliance to SAs. A PIA is broader and lighter and can run on any process; a DPIA is a legal requirement in some cases with specified contents, and the DPO advises on and monitors it (Article 39). A DPIA is required where processing is likely to result in a high risk - especially new technologies, large-scale profiling, large-scale special-category data, or large-scale monitoring of a public area. Under Article 36 you must consult the SA only when a high risk remains unmitigated.
A DPIA has two values: incorporate data protection into planning and demonstrate compliance to SAs. A PIA is broader/lighter and can run on any process; a DPIA is a legal requirement in some cases with specified contents. The DPO advises on and monitors the DPIA (Article 39).
- When required - processing likely to result in a high risk, especially: new technologies; systematic and extensive evaluation/profiling with significant effects; large-scale special-category data; or large-scale systematic monitoring of a public area.
- Contents - a description of the processing, its necessity and proportionality, the risks, and the measures to mitigate them.
- Prior consultation (Article 36) - consult the SA when a high risk remains unmitigated; the SA advises and may block the processing.
You do NOT always consult the SA after a DPIA. Prior consultation under Article 36 is only triggered when a high risk remains unmitigated.