How to conduct a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment, or DPIA, is a mandatory study for any personal data processing likely to result in a high risk to the rights and freedoms of data subjects: large scale profiling, video surveillance, health data processing, among others. The CNIL provides a free tool, PIA, along with a detailed methodology to structure this assessment, which weakens the excuse of lacking the tools to carry one out.
When is a DPIA mandatory?
A DPIA is required whenever a processing activity meets at least two of the following criteria: evaluation or scoring of individuals, automated decision making with legal effect, systematic monitoring, large scale processing of sensitive data, data matching, or processing concerning vulnerable individuals.
GDPR Diagnostic·See a diagnostic preview
The steps of a DPIA
- Describe the intended processing: purposes, data collected, recipients, retention period.
- Assess the necessity and proportionality of the processing in relation to its purpose.
- Identify the risks to data subjects: illegitimate access, unwanted alteration, loss of data.
- Assess the severity and likelihood of each identified risk.
- Define measures to reduce these risks to an acceptable level.
- Document the entire process, so it can be presented to the data protection authority in the event of an inspection.
Typical structure of a DPIA
| Section | Content |
|---|---|
| Context | Description of the processing, purposes, data controller |
| Principles | Necessity, proportionality, measures ensuring data subject rights |
| Risks | Sources of risk, potential impacts, existing measures |
| Action plan | Additional measures to implement and their owners |
Common mistakes
- Conducting the DPIA after the processing has gone live, when it should precede its implementation.
- Limiting it to a list of technical security measures, without actually assessing the risks to individuals.
- Never updating the DPIA as the processing evolves.
A well conducted DPIA is not just a template to fill in: its value depends entirely on how seriously the risk assessment inside it is done, not on its formal compliance with the expected outline. A DPIA produced for form's sake, without genuinely questioning the processing, protects data subjects no better and offers no real safeguard in the event of an inspection. Building on a map of processing activities and risks already identified during a GDPR diagnostic, however, considerably speeds up its completion.
Related diagnostic
Ready to assess your organization?
Try for free