Data protection impact assessments

The Article 29 Guidelines on Data protection impact assessments (DPIAs) and the determination of 'high risk' describes a DPIA as:

"a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation (see also article 24)5. In other words, a DPIA is a process for building and demonstrating compliance."

DPIAs are now a requirement prior to the commencement of processing which is likely to result in a high risk for the rights and freedoms of individuals, taking into account the nature, scope, context and purposes of that processing.  

In addition, DPIAs should be undertaken for existing processing operations likely to result in high risk to the rights and freedoms of individuals where there has been a change in the risks or new vulnerabilities have arisen.  DPIAs should be continuously reviewed and regularly re-assessed as a matter of good practice to ensure the level of data protection is maintained in a changing environment.

Even where processing does not meet one of the triggers necessitating a DPIA, controllers still have an obligation to implement measures to manage risks to the rights and freedoms of individuals.  All risks created by processing activities should be continuously assessed in order to identify when a processing activity is 'likely to result in a high risk to the rights and freedoms of individuals'.

The Article 29 guidance includes consideration of the concept of high risk, the common assessment criteria used in DPIAs and links to existing EU DPIA frameworks.

See: Articles 35 and Recital 84, 89-97 of the GDPR