beatriz-perez-moya-111685-unsplash

Data Protection Impact Assessment Guide

The General Data Protection Regulation (GDPR) has introduced a new obligation, which requires companies and organizations to carry out data protection impact assessments if the personal data that the company processes is likely to result in a high risk to individuals’ interests.

If a high risk to personal data is detected, the company must consult the local data protection authority.

This is necessary since the company is accountable for designing the processing activities in a way that protects the individual’s data from the start.

Many companies are already carrying out Privacy Impact Assessments (PIA) as good practice but these assessments may not cover all of the mandatory conditions deriving from the GDPR.

If there is no DPIA  procedure in place within your company, you need to design the process and embed it into your organization’s policies and procedures.

What is a data protection impact assessment?

The data protection impact assessment is designed to systematically and comprehensively analyze the company’s personal data processing activities and the risks that they carry.

DPIA helps the company to identify and prevent risks related to data protection and privacy. DPIA covers the compliance risks from the company’s perspective but also the broader risks to the rights and freedoms of individuals. Violations of personal data processing can lead to a significant social or economic disadvantage for the individual.

Therefore, the DPIA should consider the level of risk in regards to both the likelihood and the severity of any impact possible on the individuals.

The DPIA does not remove the risk altogether but should be designed to minimize the possible negative impacts of data processing and to assess whether the remaining risks are managed.

DPIA can also assert broader compliance by taking into account financial and reputational benefits by demonstrating accountability for individual clients.

When is DPIA needed?

DPIA is needed when the processing of personal data may result in a high risk to the rights and freedoms of natural personsThis means widespread or serious impacts on the individual or society in general.

Processing activities when DPIA is needed:

  • Systematic and extensive profiling or automated processing with legal effects on the person
  • Processing on a large scale of special categories of data or personal data relating to criminal convictions
  • Systematic monitoring of a publicly accessible area on a large scale

Processing activities when DPIA is needed according to national DPA (more specifically defined in WP248)

  • Use of new technologies
  • Use of profiling on access to services
  • Behavior and location tracking
  • Targeting and profiling of children
  • Data processing that might endanger an individual’s physical health or safety in case of a security breach
  • Combining data sets from various sources
  • Collecting personal data without providing the privacy notice
  • Processing of biometric data;
  • Processing of genetic data
  • Processing of location data

The need for a DPIA needs to be considered carefully and the requirements of member states might vary greatly.

For example, Finland did not include location data in its original processing list until EDPB advised to add it.

Not every member state requires a DPIA in case of new technology used by the company. However, a DPIA should be considered as a general rule in cases where the processing involves profiling or monitoring, the technology decides about the access to services or opportunities or if the processing involves particularly sensitive data or vulnerable individuals.

Even if high risk for the individual is not detected, the DPIA serves as the basic document on data protection for the processing activity being a document which is dynamic and changes in time.

The European Data Protection Board (EDPB) published a guide on which data processing activities would need a data protection impact assessment (DPIA).

There have been differing opinions amongst the member states national Data Protection Authorities on when a DPIA is necessary and to which processing activities the procedure should apply.

The EDPB guide’s purpose is to form a harmonized approach to cross-border personal data processing activities that can have an effect on the natural person’s free movement within the EU.

Currently, the EDPB guidelines of WP248 on data protection impact assessment (DPIA) serve as a basis for the national authorities to set their own requirements for processing activities that requires data protection impact assessments.

However, the national requirements can turn out to be stricter compared to the EDPB standards but since personal data processing often has cross-border elements the standards of EDPB should be followed.

More to read on this topicRecords of processing activities in GDPR Article 30

Are you GDPR compliant? ​

Assess whether you have to comply with the GDPR in the first place and if you do, what is the level of preparedness of the GDPR compliance. Also check out the answers for the frequently asked questions.
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Subscribe to our Newsletter

Your e-mail address is only used to send you our newsletter and information about the activities of GDPR Register. You can always use the unsubscribe link included in the mail.

Latest Posts
First GDPR Fine Issued in Lithuania

First GDPR Fine Issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2019

GDPR Compliance Checklist for 2019

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...
GDPR in B2B Marketing

GDPR in B2B Marketing

There are two separate EU level regulations to follow when processing personal data for direct marketing in B2B and B2C...
Data Protection Impact Assessment Guide

Data Protection Impact Assessment Guide

The General Data Protection Regulation (GDPR) has introduced a new obligation, which requires companies and organizations to carry out data...
Cyber Attacks from the Perspective of GDPR: Ransomware

Cyber Attacks from the Perspective of GDPR: Ransomware

Nowadays almost every business sector integrates digital technologies. IT infrastructure and practice, if not updated regularly, ages and becomes weaker. Therefore,...
Six Months With GDPR in Force. What Happened?

Six Months With GDPR in Force. What Happened?

The GDPR, that came into force on the 25th of May, 2018, expanded the EU‘s data protection area coverage, introduced...
Healthcare sector: How to Comply With GDPR?

Healthcare sector: How to Comply With GDPR?

Since GDPR entered into force, the personal data protection has become more challenging to the Healthcare sector. Meaning that data...

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data