When is a Data Protection Impact Assessment required?
A DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them). DPIAs are important tools for accountability, as they help controllers not only to comply with the requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation. In other words, a DPIA is a process for building and demonstrating compliance.
Article 35 states, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons”
Processing operations likely to require a DPIA include:
- evaluation or scoring, including profiling and predicting
- automated-decision making with legal or similar significant effect
- systematic monitoring
- sensitive data processing
- data processed on a large scale
- datasets that have been matched or combined
- data concerning vulnerable data subjects, such as children, the elderly, the sick
- Innovative use or applying technological or organisational solutions, like combining use of biometric fingerprint and face recognition for improved physical access control
- data transfer across borders outside the European Union
- when the processing in itself “prevents data subjects from exercising a right or using a service or a contract”