Definition of Data Protection Impact Assessment (DPIA)
DPIA means DATA PROTECTION IMPACT ASSESMENT. It is a risk analysis established by the GDPR Regulation[1], mandatory for the controllers[2] prior to execution of any processing operations with regards to personal data of individuals (data subjects), likely to lead to high risks to their rights and freedoms (“DPIA”). The risks to the rights and freedoms of data subjects may be at various levels at the individual processing operations and may lead to property, non-property or other damage to that individuals. The aforementioned indicates that the obligation to elaborate DPIAs does not apply to every personal data processing operation, but only those which qualify.
When is it necessary to elaborate DPIAs
The obligation of controllers to elaborate DPIAs need to be seen in the context of the general obligation of controllers to adequately manage the risks related to the processing of personal data. According to Recital (84) of the GDPR: The outcome of the assessment (DPIA) should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with the GDPR.
The obligation of elaborating DPIA relates mainly on cases where the controller uses new technologies to process personal data, usage of which may represent high risk for the rights and freedoms of the data subjects and in case the nature, extent, context or purpose of processing of personal data implies high risk for the rights and freedoms of the data subjects. DPIA is a process which may help the controller to analyse, identify and minimise risks. It is merely a special type of risk analysis. It should include mainly the planned measures, guarantees and mechanisms to mitigate the risks to the rights and freedoms of the data subjects, ensuring personal data protection and to demonstrate compliance with the GDPR.
Article 35 (3) of the GDPR names examples of the processing operations requiring the elaboration of DPIA. As the list of processing operations in GDPR is not extensive, the WP 29[3] working party introduced 9 criteria each controller should consider when deciding whether the processing operation requires DPIA. In case the processing operation meets at least two of the criteria below, the controller should consider elaborating DPIA. WP 29 states that the more criteria the processing operation meets, the more likely of it to represent high risk to the rights and freedoms of the data subjects.