Data Protection Impact Assessment
Article 35 of the GDPR requires controllers to carry out a Data Protection Impact Assessment (DPIA) before processing that is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is a process designed to describe the processing, assess its necessity and proportionality, and help manage the risks to individuals.
Failure to carry out a required DPIA, or to carry it out incorrectly, is subject to fines of up to EUR 10,000,000 or 2% of worldwide annual turnover (Art. 83(4)(a)).
When is a DPIA Mandatory? (Article 35(3))
- Systematic and extensive evaluation of personal aspects based on automated processing, including profiling, on which decisions are based that produce legal effects or similarly significantly affect the data subject
- Processing on a large scale of special categories of data (Art. 9(1)) or data relating to criminal convictions and offences (Art. 10)
- Systematic monitoring of a publicly accessible area on a large scale
The Article 29 Working Party (now EDPB) identified nine criteria that indicate high risk. Processing that meets two or more of these criteria generally requires a DPIA: evaluation or scoring, automated decision-making with legal or similar effect, systematic monitoring, sensitive data, large scale, combining datasets, vulnerable data subjects, innovative use of technology, and processing that prevents data subjects from exercising a right or using a service or contract.
DPIA Process Steps
| Step | Article | Description | Required Output |
|---|---|---|---|
| 1. Determine Whether a DPIA is Required | Art. 35(1), 35(3) | Assess whether the processing is likely to result in a high risk to the rights and freedoms of natural persons, considering the criteria in Article 35(3) and supervisory authority lists under Article 35(4). A DPIA is mandatory for: (a) systematic and extensive evaluation of personal aspects based on automated processing including profiling; (b) large-scale processing of special categories of data or criminal conviction data; (c) systematic monitoring of a publicly accessible area on a large scale. | Documented decision on whether a DPIA is required, with reasoning. |
| 2. Describe the Processing | Art. 35(7)(a) | Provide a systematic description of the envisaged processing operations and the purposes of the processing, including where applicable the legitimate interest pursued by the controller. Document the nature, scope, context and purposes of the processing, the categories and volume of personal data, the data flows, the technology used, and the parties involved. | Processing description document including data flow diagrams. |
| 3. Assess Necessity and Proportionality | Art. 35(7)(b) | Evaluate whether the processing operations are necessary and proportionate in relation to the purposes. Consider whether the same purpose could be achieved with less data, less intrusive processing, or shorter retention periods. Verify compliance with Article 5 principles. | Necessity and proportionality assessment with justification. |
| 4. Identify and Assess Risks | Art. 35(7)(c) | Assess the risks to the rights and freedoms of data subjects, taking into account the nature, scope, context and purposes of processing. Consider risks of: unlawful access, unauthorised disclosure, accidental loss, destruction, discrimination, identity theft, financial loss, damage to reputation, loss of confidentiality of data protected by professional secrecy, unauthorised reversal of pseudonymisation, and any other significant economic or social disadvantage. | Risk register with likelihood, severity, and risk rating for each identified risk. |
| 5. Identify Measures to Mitigate Risks | Art. 35(7)(d) | Determine the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data. Consider technical measures (encryption, pseudonymisation, access controls, logging), organisational measures (policies, training, DPO appointment), and contractual measures (processor agreements, data sharing agreements). | Mitigation plan with specific measures, responsible parties, and timelines. |
| 6. Consult the Data Protection Officer | Art. 35(2), 39(1)(c) | Where a DPO has been designated, seek their advice on the DPIA process, the identified risks, and the proposed mitigations. The DPO's role is to provide advice and monitor the DPIA process. The controller must seek the DPO's advice when carrying out a DPIA. | DPO consultation record including advice provided and how it was addressed. |
| 7. Record the DPIA Outcome and Decisions | Art. 35(7), 36(1) | Document the outcome of the DPIA including: the residual risk level after mitigations, the decision on whether to proceed with processing, and the approval or sign-off. If residual risks remain high, the controller must consult the supervisory authority before processing begins (Art. 36). | Final DPIA report with sign-off. Supervisory authority consultation if high residual risk. |
| 8. Review and Update | Art. 35(11) | The controller must review the DPIA when there is a change in the risk represented by processing operations, including when the nature, scope, context or purposes of processing change, when new technologies are introduced, or when the organisation or regulatory environment changes. DPIAs are living documents, not one-time exercises. | Review schedule and updated DPIA documentation. |
Risk Assessment Matrix
The following matrix can be used to assess and categorise risks identified during the DPIA. Likelihood reflects the probability of the risk materialising. Severity reflects the potential impact on the rights and freedoms of data subjects.
| Likelihood | Severity | Risk Rating | Required Action |
|---|---|---|---|
| Low | Low | Acceptable | Monitor. Standard safeguards sufficient. |
| Low | Medium | Tolerable | Implement reasonable mitigations. Monitor regularly. |
| Low | High | Moderate | Implement specific mitigations before processing. Review quarterly. |
| Medium | Low | Tolerable | Implement reasonable mitigations. Monitor regularly. |
| Medium | Medium | Moderate | Implement specific mitigations before processing. Review quarterly. |
| Medium | High | High | Implement strong mitigations. Consider supervisory authority consultation. |
| High | Low | Moderate | Implement specific mitigations before processing. Review quarterly. |
| High | Medium | High | Implement strong mitigations. Consider supervisory authority consultation. |
| High | High | Very High | Mandatory supervisory authority consultation under Art. 36 before processing. Redesign processing if possible. |
Supervisory Authority Consultation (Article 36)
Where the DPIA indicates that processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller must consult the supervisory authority prior to processing (Art. 36(1)). The supervisory authority has up to eight weeks to provide written advice (extendable by six weeks for complex cases). The controller must provide the authority with the DPIA, the respective responsibilities of controller and processors, and any other information requested.
Disclaimer
This page provides general information about GDPR DPIAs and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your organisation.