A data protection impact assessment (DPIA) is necessary if a type of your data processing might result in a high risk to the freedom and rights of natural persons.
DPIA - Data Protection Impact Assessment
Guidelines on Data Protection Impact Assessment by Article 29 Working Group, page 7, April 4, 2017. PDFWithin GDPR, controllers (= responsible person) must ensure the protection of personal data that they are processing. In case, that for an activitiy there is a high risk for the personal rights and freedoms of the natural people, then you need to do a risk assessment for this processing activitiy.
Within this DPIA there needs to be a risk analysis with probability and impact of a data breach. You will have to find measures to reduce probability and impact so that the risk of the processing activities is minimised. If there would still be a high risk, you have to inform the supervisory authorities.
The Article 29 Data Protection Working Party has published guidelines on how to do a DPIA and it is not necessary for all processing activities. A DPIA can also assess multiple, similar operations at the same time.
In the same statement (2017, p. 9-11), the Working Party has also named 9 criteria for processing operations that might lead to an assessment - if at least two criteria are met:
- Evaluation or scoring
- Automated-decision making with legal or similar significant effect
- Systematic monitoring
- Sensitive data or data of a highly personal nature
- Data processed on a large scale
- Matching or combining datasets
- Data concerning vulnerable data subjects
- Innovative use or applying new technological or organisational solutions
- processing in itself "prevents data subjects from exercising a right or using a service or a contract"
Consider also that the DPIA needs to be carried out before the initial start of the data processing activity or application. DPIA is a useful way to determine the risk and impact of your data processing and if your activities are GDPR compliant. (Article 35 GDPR)
