The Data Protection Impact Assessment, or DPIA, is specified by Article 35 of the GDPR. The DPIA is performed exclusively on a single and specific processing activity that could result in high risk to the rights and freedoms of natural persons also called data subjects. The DPIA aims to identify and quantify potential high risks for the data subjects prior to the processing of the activity.

Since it is an element of the GDPR, whose main core value is the preservation of the rights and freedom of the data subjects, the data protection impact assessment does not take into consideration in any shape or form the risks that the organization may face.

It may be noted that depending on the language and region, you may here this type of assessment also called a Data Privacy Impact Assessment. Here will use the terms interchangeably.

The 2B Advice methodology follows the basic requirements set out in Article 35 GDPR and is enriched by recommendations of supervisory authorities and best practice. A DPIA always follows the following steps.

1. Systematic description of the processing activity (including responsibilities)

2. Risk assessment (including necessity and proportionality assessment)

3. Proposal of corrective measures to mitigate the occurrence of the risks / threats.

A data protection impact assessment is needed when the manual or automated collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data (aka “processing activity”) is likely to result in a high risk to the rights and freedoms of natural persons.

It should be carried out prior to processing or in the design phase of a new technology and on a regular basis (audit) thereafter.

The objective of a DPIA is not to eradicate all risk, but should help you minimize and determine whether the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve.

A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks when processing personal data. It is a key part of your accountability obligations under the GDPR (Art. 35 GDPR), and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations.

Under the GDPR there are 9 criteria to be considered to determine if a processing activity is of high risk if it involves:

1. Evaluation or scoring, including profiling and predicting
2. Automated-decision making with legal effect
3. Systematic monitoring
4. Sensitive or highly personal data
5. Data processed on a large scale
6. Matching or combining datasets
7. Data concerning vulnerable data subjects
8. Innovative use or applying new technological or organizational solutions
9. When the processing prevents data subjects from exercising a right or using a service or contract

Number 8 leaves quite broad opportunity for interpretation. Companies need to carry out a due diligence to determine if their processing is in-or outside the scope of this criteria.

Under the GDPR, DPIA’s are mandatory for highrisk processing activities and non-compliance with DPIA requirements can lead to fines imposed by the supervisory authority. Failure to carry out a DPIA when the processing is subject to a DPIA , carrying out a DPIA in an incorrect way (ref Article 35), or failing to consult the competent supervisory authority where required (Article 36(3)(e)), can each result in an administrative fine of up to 10M Euros, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the Controller, with the DPO and Processors, should be responsible for carrying out a data protection impact assessment. The controller is responsible that the DPIA is carried out and is accountable for the risk, though the DPIA itself might be done by someone else.

Under the GDPR, in order to manage the risks to the rights and freedoms of natural persons, the risks have to identified, analyzed, estimated, evaluated, treated, and reviewed regularly. Carrying out a DPIA is a continual process, not a one-time effort.