Data Protection Impact Assessment (DPIA)

How to conduct a Data Protection Impact Assessment (template included)

A Data Protection Impact Assessment (DPIA) is required under the GDPR any time you begin a new project that is likely to involve “a high risk” to other people’s personal information. This article explains how to conduct a DPIA and includes a template to help you execute the assessment.

The EU’s General Data Protection Regulation (GDPR) includes dozens of new rules (and many old ones) that organizations must follow in order to protect the personal information they collect about their clients or people who visit their websites. Organizations that fail to comply with the GDPR are risking severe penalties, including fines of up to $20 million or 4 percent of annual revenue, whichever is higher.

We cover many of the GDPR requirements in other articles on this website. For a general overview and many helpful links, check out our “What is the GDPR?” page or visit our GDPR checklist. Also, there’s a common misconception that businesses with fewer than 250 employees are exempt from the GDPR. That’s not true. (See who must comply with the GDPR.)

One of the most important ways to demonstrate to authorities that your organization complies with the GDPR is to prepare a DPIA for each of your high-risk data processing activities.

Below, we’ll explain how to determine when you need to conduct a DPIA, followed by how to conduct a Data Protection Impact Assessment.

Data Protection Impact Assessments under the GDPR

Article 35 of the GDPR covers Data Protection Impact Assessments. The DPIA is a new requirement under the GDPR as part of the “protection by design” principle. According to the law:

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

While this passage makes it clear that a DPIA is required by law under certain conditions, it is unhelpfully light on specifics. To help clarify the situation, here are some concrete examples of  the types of conditions that would require a DPIA:

    • If you’re using new technologies
    • If you’re tracking people’s location or behavior
    • If you’re systematically monitoring a publicly accessible place on a large scale
    • If you’re processing personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”
    • If your data processing is used to make automated decisions about people that could have legal (or similarly significant) effects
    • If you’re processing children’s data
  • If the data you’re processing could result in physical harm to the data subjects if it is leaked

In other cases, where the high-risk standard is not met, it may still be prudent to conduct a DPIA to minimize your liability and ensure best practices for data security and privacy are being followed in your organization. Remember, most data breaches trigger certain regulatory requirements.

How to conduct a Data Protection Impact Assessment

As outlined in Article 35, the GDPR requires DPIAs to contain the following elements:

    • A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
    • An assessment of the necessity and proportionality of the processing operations in relation to the purposes
    • An assessment of the risks to the rights and freedoms of data subjects
  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned

You must prepare your DPIA before beginning any data processing activity. Ideally, you should conduct your DPIA before and during the planning stages of your new project. If you have a Data Protection Officer you must consult with that person, and any other key stakeholders involved in the project, throughout the course of the DPIA.

The UK’s Information Commissioner’s Office, which is responsible for enforcing the GDPR in that country, has prepared a Data Protection Impact Assessment template. The document will guide you through the process of determining whether your data processing activity requires a DPIA. It will then ask you a series of questions to understand the scope of the data processing and help you determine what protections you can implement as part of the design of your project.