GDPR › GDPR Documentation & Compliance

Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a systematic assessment of the risk a planned data processing activity poses to the rights and freedoms of data subjects. The GDPR requires a DPIA when processing is likely to result in a high risk to data subjects. Its purpose is to identify risks and find measures to mitigate them.

Back to Dictionary

What is a DPIA?

A Data Protection Impact Assessment (DPIA) is described in GDPR Article 35. It is a process in which you systematically assess how a planned data processing activity affects the individuals whose personal data you process.

It is not merely a formality. A thorough DPIA helps you identify problems before they arise and design your processing so that it respects the rights of data subjects from the outset (Privacy by Design).

When is a DPIA required?

The GDPR requires a DPIA when a processing activity is likely to result in a 'high risk' to data subjects. Article 35 gives three examples:

Systematic and extensive profiling: Automated processing including profiling that has legal or similarly significant effects on individuals.
Large-scale processing of sensitive data: Processing special categories of data or data relating to criminal convictions and offences on a large scale.
Systematic monitoring: Systematic monitoring of a publicly accessible area on a large scale, such as CCTV surveillance.

National supervisory authorities also publish lists of processing types that always require a DPIA. Use these as a checklist for your own processing activities.

When in doubt: Carry out the DPIA regardless. It is good practice, and it demonstrates to the supervisory authority that you take data protection seriously. There is no penalty for conducting a DPIA you were not obliged to carry out.

What must a DPIA contain?

GDPR Article 35(7) requires as a minimum:

A systematic description of the processing and its purposes
An assessment of the necessity and proportionality of the processing
An assessment of the risks to the rights and freedoms of data subjects
The measures envisaged to address the risks

Who is involved?

The data controller bears the responsibility. If your organisation has a DPO, they must be consulted. It is also good practice to involve IT, legal and the business areas that own the processing activity.

Frequently Asked Questions about Data Protection Impact Assessment (DPIA)

What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a systematic assessment of how a planned data processing activity affects the rights and freedoms of data subjects. It is required under GDPR Article 35 when processing is likely to result in a high risk.

When is a DPIA required under the GDPR?

A DPIA is required when processing is likely to result in a high risk to data subjects. This includes systematic and extensive profiling, large-scale processing of sensitive data, or systematic monitoring of publicly accessible areas.

Who is responsible for carrying out a DPIA?

The data controller is responsible. If the organisation has a DPO, they must be consulted. The work can be delegated, but accountability remains with the data controller.

What must a DPIA contain?

As a minimum, a DPIA must contain a systematic description of the processing and its purposes, an assessment of necessity and proportionality, an assessment of risks to data subjects, and the measures envisaged to address those risks.

Can you carry out a DPIA even if you are not legally obliged to?

Yes. Conducting a voluntary DPIA is considered good practice and demonstrates a proactive approach to data protection. There is no penalty for carrying out a DPIA when one was not strictly required.