Further Reading: Data protection impact assessments

A Data Protection Impact Assessment (DPIA) is an assessment of the impact of the envisaged processing operations on the protection of personal data

A DPIA is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A single assessment may address a set of similar processing operations that present similar high risks

A DPIA must be completed before processing commences

Advice of the DPO or equivalent must be sought before completing the assessment

A DPIA is mandatory in the following cases:

  • a systematic and extensive evaluation of personal aspects of an individual based on automated processing, profiling, from which decisions are based producing legal or other significant effects on the individual concerned
  • processing on a large scale of special categories of data, or personal data relating to criminal convictions and offences
  • a systematic monitoring of a publicly accessible area on a large scale
  • in a list published by the ICO or other relevant data supervisory authority

A DPIA is good practice before commencing any major new project in which personal data is to be processed

A DPIA must include:

  • a description of the nature, scope, context and purposes of the processing, including legitimate interests if applicable
  • an assessment of the necessity, proportionality in relation to the identified purposes
  • identification and assessment of the risks to individuals
  • measures identified to address those risks, ensuring data protection and to demonstrate compliance

If feasible, individuals, or their representatives, whose data is to be processed should be consulted

References:

Article 35, 63, 69
Recitals (75),(84), (89) – (93)
DPA section 14 ICO guidance
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/ Article 29 Working Group Guidelines 13th October 2017- adopted by the EDPB
http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236