What is a DPIA?

A Data Protection Impact Assessment is a process or operation(s) conducted by the controller to identify possible high risks arising from data processing and to minimize them as early as possible. The principal purpose of a DPIA is to ensure the protection of the rights and freedoms accordingly to the GDPR of the natural person whose personal data will be processed. It is a process that must be undertaken before the actual data processing starts.

Legal grounds for a DPIA.

The DPIA is described in the GDPR by Article 35 together with Article 36. It can be summarized as a process undertaken for two main reasons:

1. Legal reason – to ensure the protection of the rights and freedoms of the natural person whose personal data will be processed according to the GDPR.

2. Technological reason – the high risk arises particularly by using new technologies or the technical process used to process the personal data could affect the rights and freedoms of the natural person.

The controller’s task is to analyze if it’s technical process could impact the rights and freedoms of the natural person.

Who can conduct a DPIA?

The controller, advised by the data protection officer and the processor of the controller. They will work together under the supervision of the controller for the conduct of the DPIA, per Article 35 of the GDPR. Of course, this process can be conducted under all forms if there are joint controllers, several processors, or several data protection officers. The process will be done accordingly to the legal agreement between the said parties and the GDPR.

When to do a DPIA?

The GDPR presents three situations when to conduct a DPIA1: where the GDPR specifically demands one, when it is not necessary to do one and when the controller considers necessary to do one.

1. When is DPIA mandatory? Besides the requirements from the GDPR presented in Article 35(1), illustrated by Article 35(3), and complemented by Article 35(4), if one or two of the nine criteria are met.

2. When isn’t a DPIA mandatory? Mainly when the processing is not “likely to result in a high risk”, or a similar DPIA exists, or it has been authorized prior to May 2018, or it has a legal basis, or it is in the list of processing operations for which a DPIA is not required (Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679).

3. Controller’s choice. Even though we are in the above situations and a DPIA has already been conducted, it remains to the controller to conduct a new DPIA if new processing operations arise or if certain aspects need to be verified again. The GDPR does not practically restrain any form of prevention.

Why is a DPIA valued?

A DPIA is valuable for a controller because of its importance, the way to conduct it and the results will be notified to the Supervisory Authority per GDPR, where guidance and guidelines will be provided in return to the controller. A DPIA could be partially published or a summary of it may be published, though not legally required by the GDPR. Publishing it ensures transparency and accountability and helps foster trust in controller’s processing operations.