Data protection impact assessment (DPIA)

A data protection impact assessment (DPIA) is a process that helps identify and minimize the data protection risks of processing personal data by a Data controller . A DPIA is required under GDPR before beginning a new project that is likely to involve a high risk to other people’s personal information.

When assessing the level of risk, you must consider the likelihood and potential severity of impact on individuals. The high risk could result from either a high probability of some harm or a lower possibility of serious harm.

Some examples of situations where a DPIA might be needed include:

  • Using new technologies for processing Personal data .
  • Processing personal data related to sensitive information like racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic and biometric data to identify a natural person, information concerning health or sexual orientation, etc.
  • Data processing used to make automated decisions about people that could have legal or other significant effects on them.Processing children’s data.
  • Tracking users’ location or behavior.

A DPIA must:

  • Describe the data processing’s nature, scope, context, and purposes.
  • Assess the necessity and proportionality of data processing and any compliance measures in place.
  • Identify the risks to individuals.
  • Identify any additional measures applicable to mitigate those risks.

Read more about DPIA:


  • Duga Digital - success story - blog

    How Oxford Online Pharmacy increased data volume by 15% with Duga Digital and server-side Piwik PRO Analytics

    Duga Digital’s success story appears as part of our Partner Spotlight series. Oxford Online Pharmacy (OOP) is a family business going back three generations to 1925. Employing experienced pharmacists and healthcare professionals, OOP is committed to translating the values and heritage of the Oxfordshire-based bricks and mortar chemists, online.

    Read more

  • What is PII, non-PII, and personal data? [UPDATED]

    Personally identifiable information (PII) and personal data are two classifications of data that often confuse organizations that collect, store and analyze such data. Both terms cover common ground, classifying information that could reveal an individual’s identity directly or indirectly. PII is used in the US, but no specific legal document defines it. The legal system…

    Read more