Data Protection Impact Assessment

Data Protection Impact Assessment is carried out by the data controller when the processing operations are likely to result in a high risk to the rights and freedoms of natural persons, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing. Indicative kinds of high risk processing operations are referred to in Article 35 (3) of the GDPR Policy Template (see rec.91 of the GDPR).

The assessment contains at least the following (Article 35 (7) of the GDPR):

• A systematic description of the processing operations and the purposes of the processing;
• An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
• An assessment of the risks to the rights and freedoms of data subjects;
• The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.

It is not necessary to carry out a DPIA for processing operations for which an authorization to establish and operate the relevant file containing sensitive personal data has been granted under Article 7 of Law 2472/1997, provided that such authorization is in force and there has been no change which may result in a high risk to the rights and freedoms of data subjects request management , taking into account the nature, scope, context and purposes of the processing (WP248).

It is not necessary to carry out a DPIA where the processing operation pursuant to Article 6 (1) © or (e) has a legal basis in EU Representative or member state law where that law regulates the specific processing operation, and a DPIA has already been carried out as part of the establishment of that legal basis, except if it is deemed necessary to carry out such an assessment prior to processing activities (Article 35 (10), rec.93 of the GDPR).

No GDPR Training overview is complete without the DPIA. However, when it comes to the data protection impact assessment, the good news is that it is not strictly required in most cases.

This is what the English ICO has to say about it:

“Although publishing a DPIA is not a requirement of GDPR, you should actively consider the benefits of publication. As well as demonstrating compliance, publication can help engender trust and confidence. We would therefore recommend that you publish your DPIAs, were possible, removing sensitive details if necessary.“

DPIA Requirements

Online templates are available to help you complete a DPIA report. These templates are a good starting point and should be adapted to suit your organisation’s particular requirements.

A DPIA should include:

• Whose personal data do you plan to process e.g. customer, employee or patient data
• What kind of personal data you will use
• How do you plan to use the personal data
• Measures you will take to minimise and prevent risk to individuals

A DPIA should assess:

• The necessity of using personal data to meet your aim
• If the potential risk is worth the desired business outcome
• If you need to contact a supervisory authority, such as the Information Commissioner’s Office (ICO).