Data protection impact assessment: what, why and when?

DPIA - when and how to do it

The Data Protection Impact Assessment (DPIA) is one of the new obligations related to the processing of personal data under the General Data Protection Regulation (GDPR). The DPIA is a type of self-assessment tool to manage risks related to the processing of personal data. The purpose is to identify and assess risks related to the processing of personal data and to minimize them in advance.

The DPIA requirement doesn’t apply to all personal data processing activities. The GDPR has specified certain personal data processing operations that are subject to the DPIA requirement prior to the start of the processing. Additionally, national data protection authorities can provide further specifying lists of the processing operations for which the DPIA is required.

When is data protection impact assessment required?

According to the GDPR, a controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data if the type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the person’s rights and freedoms.  In case a company has designated a data protection officer, him/her shall be consulted when carrying out the DPIA.

The data protection impact assessment shall be required particularly in the case of a systematic and extensive evaluation of personal aspects which is based on e.g. profiling, and which leads to decisions that produce legal effects concerning the person. The DPIA is also required for example in cases with extensive processing of special categories of personal data covered by the GDPR, like data concerning health, or in cases involving systematic monitoring of a public area using a video surveillance.

Additionally, in Finland the Office of the Data Protection Ombudsman has published a list of specific personal data processing operations for which the DPIA is required. According to the Data Protection Ombudsman’s list, the DPIA is required e.g. when processing genetic data or in case a company has a whistleblowing system. Moreover, the DPIA is required when the controller has obtained the personal data from sources other than the data subject and in a manner inconsistent with the GDPR notification procedure.

DPIA is tool to manage and identify risks

The DPIA is intended as a continuous tool to manage and indentify risks for those processing personal data. The impact assessment is required prior to the start of the data processing. The DPIA and its conclusions must be properly documented. Additionally, the controller must be proactive and monitor the potential risks and threats related to the processing. Where necessary, the controller shall carry out a review to assess if the personal data processing is performed in accordance with the data protection impact assessment. The impact assessment must be updated if the risks related to the processing operations change, e.g. due to the processing purposes, data transfers, or new technology.

When performing the DPIA, a controller must draft a systematic description concerning the envisaged processing operations and the purposes of the processing and assess necessity and proportionality of the processing operations and also assess potential risks among other things. Additionally, the assessment should include the measures envisaged to address the risks to ensure the protection of personal data and to demonstrate compliance with the GDPR. If the organization has a designated data protection officer, he/she must be consulted during the performance of the DPIA.

Additionally, with certain exceptions, also those individuals whose data is being processed, or their representatives, should be consulted as part of the DPIA. If the controller’s own assessment indicates that the processing still involves a high risk that the controller deems cannot be adequately mitigated, the data protection authority should be consulted for additional instructions in terms of the DPIA.

The GDPR obligates an impact assessment for certain processing operations, but it is also a way to demonstrate that the company is compliant with the GDPR. With the impact assessment, it is also possible to assess own organization’s data protection level and to increase the awareness of the personnel.