GDPR Data Protection Impact Assessment

What Are DPIA’s

Article 35 of the General Data Protection Regulation (GDPR) focuses on the Data Protection Impact Assessment (DPIA) and what obligations organisations have in considering and carrying them out. The ICO and WP29 have previously created guidelines on impact assessments. WP29 citing the definition of a DPIA as being: –

“A process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data.”

DPIA’s involve several stages of assessment where personal data is involved. These stages: –

  • Describe the processing
  • Determine if it is necessary
  • Identify and assess the risks
  • Define and develop mitigating safeguards and mechanisms.

Where processing is likely to result in a high risk to individuals, an impact assessment is the tool used to protect the individual(s) and their information as far as possible.

DPIA’s are essential for meeting the governance and accountability requirements of the Regulation. Likewise, they also provide structure and valuable information for those carrying them out. The DPIA enables a pre-emptive, responsible approach to assessing risks and developing mitigating controls. This is done prior to starting the processing activity. Thus providing informaiton on how an individual will be affected.

When is a DPIA Required?

Not every processing activity requires an impact assessment. However, it is important to show evidence that all processing activities are being assessed for their high-risk potential. This includes checkling if the activity meets the criteria requiring a DPIA under the GDPR. In some cases organisations’ can find it useful to complete a DPIA even where there isn’t a mandatory requirement. This enables the lower risk processing activities to be assessed.

Article 35(1) of the GDPR defines when a DPIA must be carried out. It states that “where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons”, carrying out an impact assessment prior to the processing is required. The aim is to identify and assess the impact of the processing operation(s) on the personal data and the data subject.

Organisations are responsible for identifying which processing activities are likely to result in high risks to individuals. However, under Article 35(3) and Recital 91, the Regulation does offer some specific situations of when a DPIA is required: –

  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures
  • Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10
  • A systematic monitoring of a publicly accessible area on a large scale (especially when using a new technology or optic-electronic devices or other operations defined by the supervisory authority)

As the above list is non-exhaustive, the ICO have provided some additional ‘Guidelines on DPIA’s’, 

Carrying out a DPIA

An the impact assessment must be carried out prior to the processing taking place. A DPIA should be fluid, with many of the assessment stages being revisited throughout the project cycle. As the processing activities are defined and technical and operational decisions are made, the direction of the project can change and so reassessing earlier stages in the assessment can be pivotal.

The evolutionary design and process of a DPIA enables organisations to assess the data protection and privacy aspects of the processing operations from all angles, ensuring that every facet of the project is considered.

Article 35(7) describes the minimum expected features of a DPIA: –

  • A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • An assessment of the risks to the rights and freedoms of data subjects referred to in Article 35(1)
  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned

Recitals 84 and 90 of the Regulation provide more detail on what a DPIA should evaluate. This includes the origin, nature, particularity and severity of any risks. Likewise, it also includes the measures, safeguards and mechanisms envisaged for mitigating those risks.

Using screening questions at the start of the assessment provides an easy way to to identify processing that is likely to result in a high risk to individuals. The other stages in the DPIA project shoudl include: –

  • A project brief
  • Risk identification
  • Evaluation of the risks
  • Consultations and discussions
  • Measures and mitigation actions
  • Outcome analysis
  • Evidencing documentation.

The process is not just a start-finish exercise! The nature of the DPIA means that revisiting stages will often occur and those carrying out the DPIA must be flexible in their thinking and approach. Recording everything is key in a DPIA.

It is also important to involve all persons and entities who have an impact on the processing operation or project. Whilst a DPO or DPIA lead may carry out the actual assessment, gaining the insights and concerns of other departments, employees, stakeholders and processors (where applicable) is pivotal.

Considerations & Consultations

There are several other considerations and requirements that affect DPIAs and those carrying them out, some of which are noted below.

The controller is ultimately responsible for ensuring that the DPIA is effective and complete. This is still true even where another person or entity (internal or external) carries out the actual assessment.

The GDPR advises that when carrying out a DPIA, the controller must seek the advice of the Data Protection Officer (where designated). Their input and advice must be recorded on the DPIA. It is also required (where appropriate), to seek the views of the data subjects (or their representatives) on the intended processing.

A DPIAs main purpose is to assess an individual processing activity However, the Regulation makes it clear that “A single assessment may address a set of similar processing operations that present similar high risks.” This means that if there are multiple processing operations, but the risks and outcomes are similar, then the same assessment can be used. Article 92 provides an example of the above as; “where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector”.

The Regulation also advises that where necessary, the controller should carry out a review of the assessed processing to ensure that it is being carried out in accordance with the DPIA outcomes and mitigations. This is especially important where processing operations have resulted in a change of or to the risk.

Further Information

This article provides an overview of the DPIA requirements and process and is not in itself a complete process document. Referring to the Regulation gives the exact criteria and requirements for impact assessments, and we have also provided some useful resource links below: –

The ICO provides a DPIA overview on their site as well as a link to their ‘Conducting PIA Code of Practice’ –  https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance

The Article 29 Working Party (WP29) have a substantial guidance sheet for DPIAs – https://ec.europa.eu/newsroom/document.cfm?doc_id=44137

Know Your Compliance’s GDPR Section provides an extensive DPIA Document that covering the full assessment process, stages and templates – https://www.knowyourcompliance.com/product-category/gdpr