Data protection impact assessments
A Data Protection Impact Assessment (DPIA) is a method by which a controller can objectively, systematically and comprehensively assess the proposed processing of personal data and identify, and minimise, the risks to an individual when developing a new, or updating an existing, system. The fundamental aim is to weigh the need for, and the potential benefit of, the processing against the impact on individuals. An effective DPIA can provide compliance, financial and reputational benefits, which help demonstrate accountability and assist a controller build trust and confidence with individuals.
A DPIA should commence early in the life of a project, whether at the point of design or before purchasing new kit, and form part of the planning and development process and in any event must be fully completed before any processing begins.
To assess the level of risk, a DPIA must consider both the likelihood of any risk occurring and the severity of any consequential harm caused either to individuals or to society at large should any of the risks occur. A DPIA does not have to completely eradicate risks, but should minimise risks and assess whether or not any remaining risks are justified.
A properly documented DPIA is important for evidencing compliance and should take account of a controller’s other express obligations including:-
- Article 5: Principles & Accountability
- Article 24: Responsibility of the controller
- Article 25: Data protection by design and default
It should be appreciated that a DPIA is not a rubber stamp exercise and failure to undertake a DPIA, as required, may result in a monetary penalty being imposed and an Order imposing a ban on processing.
Applicable legal provisions
Article 35 of the ‘Applied GDPR’
Recitals 83, 84, 89 to 93, and 95 of the ‘Applied GDPR’.
(For competent authorities processing personal data subject to the ‘Applied LED’, the provisions relevant to a DPIA are set out in Article 27 of the ‘Applied LED’, Regulation 57 of the Regulations and further explanation is provided in Recital 59)
The EDPB publishes decisions under the consistency mechanism, including relating to DPIAs. These can be found at: https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-decisions_en