A Data Protection Impact Assessment (DPIA) is an assessment of the impact of the envisaged processing operations on the protection of personal data
A DPIA is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A single assessment may address a set of similar processing operations that present similar high risks
A DPIA must be completed before processing commences
Advice of the DPO or equivalent must be sought before completing the assessment
A DPIA is mandatory in the following cases:
A DPIA is good practice before commencing any major new project in which personal data is to be processed
A DPIA must include:
If feasible, individuals, or their representatives, whose data is to be processed should be consulted
References:
Article 35, 63, 69
Recitals (75),(84), (89) – (93)
DPA section 14 ICO guidance
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/ Article 29 Working Group Guidelines 13th October 2017- adopted by the EDPB
http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236