When to conduct a DPIA
A Data Protection Impact Assessment (DPIA) consists of a set of assessments to be carried out by your company before starting your processing operations. A DPIA serves as a tool to systematically analyse, identify and minimise (not necessarily eliminate) the data protection risks of a single processing operation or a set of similar processing operations within your company. This assessment allows you to determine if the level of risk is acceptable in relation to the benefits pursued by the planned project.
‘Risk’, through the lens of data protection law, refers to the likelihood and severity of any physical, material or non-material negative impact on the individual concerned or society at large, taking into account the nature, scope, context and purposes of processing.
A DPIA is not always required under the GDPR. However, the mere fact that your company qualifies as a micro-enterprise or an SME does not – as such – give you a free pass. The obligation to carry out a DPIA is tied to the notion of ‘high risk’: if the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals, a DPIA is required.
To decide whether a project poses a high data protection risk, the article 29 Working Party (WP 29) – now European Data Protection Board (EDPB) – provides a rule of thumb: a processing activity that meets 2 or more out of the 9 criteria enlisted below most likely constitutes a high risk to the rights and freedoms of the individuals concerned and therefore requires a DPIA to be carried out.
In some cases, you could still consider that a processing activity meeting only 1 of the 9 criteria requires a DPIA.
Processing personal data gathered across social media platforms to create marketing profiles.
Evaluation or scoring
Matching or combining of datasets
Large scale processing
3 out of 9 criteria are met. DPIA necessary!
To find out if you are required to carry out a DPIA, check out our pre-DPIA template.
National DPIA lists
The GDPR instructs national data protection authorities (DPAs) to draw up their own lists of processing operations which are subject to the requirement for a DPIA.
Additionally, they are free to also make a list of processing operations which do not require a DPIA. If your DPA has such a list, it is important to check this list before starting any data processing operations. National DPIA lists can be found here.
In case it is not entirely clear whether the processing activities performed by your company are likely to result in a high risk to the rights and freedoms of individuals, it is advised to carry out a DPIA. Taking into account that no criteria nor lists can be considered exhaustive as there could always be high risk processing situations that are not foreseen by law or by national DPAs, it is safest to carry out a DPIA in any case.
Moreover, conducting a DPIA should also be seen as a way of complying with the accountability obligations under the GDPR. It helps you to keep an oversight on the processing activities taking place within your company by documenting risks and demonstrating compliance with the data protection rules. Hence, it is good practice to perform a DPIA for any major project which requires the processing of personal data, even if not obliged.
How to conduct a DPIA?
After identifying the need for a DPIA, the following steps should be taken:
1. A systematic description of the envisaged processing operations and the purposes of the processing. If you rely on ‘legitimate interest’ as the lawful basis for the processing, this interest should be included in the DPIA
2. Conducting a DPIA is your company’s responsibility, whenever you are acting as a data controller. Nevertheless, you should consult your DPO, if appointed, as well as other actors
3. An assessment of the necessity and proportionality of the processing operations: (1) Is the processing of personal data in the planned manner necessary to achieve the envisaged purpose(s)? (2) Is the interference with the rights and freedoms of the individuals concerned not disproportionate in relation to the pursued purpose(s)?
4. An assessment of the risks to the rights and freedoms of data subjects (e.g. privacy)
5. An identification of the measures envisaged to address the risks (e.g. safeguards and security measures) and a demonstration of compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned
6. Keeping records of the outcomes
7. Periodical reviewing: processing activities are dynamic and can evolve quickly which could cause new risks to the rights of individuals. For that reason, you should periodically reassess whether the DPIA that was conducted before, still corresponds to the processing activities taking place within your company at that time. If there is no DPIA in place, you should check whether the processing activities at that time do result in high risks to the rights and freedoms of individuals. In that case, a DPIA is necessary.
When to consult the DPA?
If the DPIA indicates that the planned processing operations are high risk and find that it is not possible to implement measures to mitigate the identified risks, you should consult the competent DPA before starting to process any personal data.
In case of such a prior consultation, the DPA will advise you how to limit the risks relating to your processing. If your company implements the suggested measures, you will be allowed to start the planned processing. On the other hand, it is also possible that the DPA advises you to completely abandon the planned processing.
When you are able to identify mitigation measures that are able to cover the risks in a sufficient manner, no prior consultation of the DPA is required.
Time for action!
Assess whether planned and existing processing activities are likely to result in a high risk.
A DPIA is a living tool so update your DPIA when the circumstances surrounding the processing have significantly changed.
Check the DPIA lists of the national DPAs.
Ask for DPO’s advice if your company has appointed one.
Do not forget to document your DPIA
CNIL Tool (in French and English)