Data protection impact assessment (DPIA)

A data protection impact assessment (DPIA) is a process that helps identify and minimize the data protection risks of processing personal data by a Data controller. A DPIA is required under GDPR before beginning a new project that is likely to involve a high risk to other people’s personal information.

When assessing the level of risk, you must consider the likelihood and potential severity of impact on individuals. The high risk could result from either a high probability of some harm or a lower possibility of serious harm.

Some examples of situations where a DPIA might be needed include:

  • Using new technologies for processing Personal data.
  • Processing personal data related to sensitive information like racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic and biometric data to identify a natural person, information concerning health or sexual orientation, etc.
  • Data processing used to make automated decisions about people that could have legal or other significant effects on them.Processing children’s data.
  • Tracking users’ location or behavior.

A DPIA must:

  • Describe the data processing’s nature, scope, context, and purposes.
  • Assess the necessity and proportionality of data processing and any compliance measures in place.
  • Identify the risks to individuals.
  • Identify any additional measures applicable to mitigate those risks.

Read more about DPIA: