A Data Protection Impact Assessment is a way to analyse data processing systematically and comprehensively. It helps an organisation to identify any risks in relation to data processing and the actions that need to be taken in order to mitigate that risk. 

The Privacy Impact Assessment (PIA) is a standard process used by privacy teams to accomplish privacy by design. Companies conduct PIA when they want to evaluate competitive advantage, product value and cost-effectiveness in design. PIAs identify and reduce organisational privacy risks. When either a new business process gets implemented, a new company is acquired, or a new process gets launched, a company should conduct a PIA.  

However, The Data Privacy Impact Assessment (DPIA) is used when a company tries to find and mitigate personal data processing risks. An advantage of DPIA is, it renders clear and registered evidence that a certain organisation has evaluated the risk of its certain processing activities and reduced the risks accordingly to align with the requirements of the regulation. 

The documentation can be provided to the Federal and Regional Data Protection Authorities (DPAs) if they require it.

A DPIA must be carried out when processing starts to result in high risks to the rights and freedom of individuals. Below are the expected cases in which DPIA must be conducted. 

  • To evaluate personal aspects systematically and extensively of an individual. Including profiling.
  • When processing of sensitive information is required on a large scale.  
  • To monitor public areas systematically on a large scale.  

National Data Protection Authorities and the European Data Protection Board provides the list of cases when DPIA has to be conducted. Its conduction must go prior to the processing and should not be considered as a one-off exercise but as a living pool. A DPA ought to be consulted before the processing. Lastly, the residual risks can be reduced by putting adequate measures in place.

The Data Protection Impact Assessments are important, as the company carrying out the assessment will get a full picture of the data they hold for certain purposes and establish a record of the data and processing being carried out. This then allows them to evaluate any weaknesses that may exist in relation to those processes that could be deemed high risk, and in doing so determine the strategies for rectifying those weaknesses and mitigate any risk. Along with outlining any systemic improvements that can be made to the organisation to improve overall compliance with the requirements under the law.

DPIA must be carried out by an individual or people leading on the project. Besides, a Data Protection Officer (DPO) should also be included along with information security staff or any processor.

The DPIA should cover the below mentioned key points.

  •  It should explain every purpose of the processing along with nature, scope and context.
  • It must evaluate necessity, proportionality and compliance measures. 
  • It identifies and assesses risks to individuals.
  • Lastly, It should identify any additional measures to mitigate those risks.

Under the guidance for DPIA’s the general opinion seems to be that a DPIA is not needed for processing operations that have been in place prior to the implementation date of the GDPR if they have been checked by the national regulator, and so long as the operation is performed in the same way. 

However if any of those operations have changed in scope and are likely to result in high risk than a DPIA should be conducted. Though for the sake of best practice, it would be a good idea to carry out DPIA’s for activities regarding highly sensitive data to ensure that the risk is minimised.

There are multiple benefits of DPIA. Although, by the conduction of a DPIA, you will be able to enhance and improve the awareness within your organisation pertaining to the data protection risks associated with your project. It also supports your project’s design and speeds up your communication regarding data privacy risks with the relevant stakeholders.  It also helps demonstrate your organisation’s compliance with GDPR and avoid any sanctions.

Consultation with the national regulatory authority is not always necessary following the completion of a DPIA, so long as measures to mitigate the risks to personal data have been identified and taken. However if the DPIA indicates that risks cannot be managed and remain high, then the national regulator should be consulted before moving on with the project.

Regardless of whether such a consultation is needed, there are obligations to retain the DPIA and update it, as it may be reviewed by the national regulator in an audit or investigation arising from the use of the personal data.

Under GDPR, publishing DPIA is not a requirement. But, by demonstrating your compliance with the regulations, publications can help you raise trust and confidence. Therefore, it is recommended to publish you DPIAs if possible.

Also the published DPIA doesn’t need to be the entire assessment, especially when it could present information concerning security risks or sensitive commercial information. The Data Protection Commission for Ireland, recommends that when publishing information relating to the DPIA, a summary will suffice.