DPIA

Data Protection Impact Assessments (DPIA) aim at an evaluation of potential risks, arising out of any new processing activity, before such activity actually takes place. Thanks to DPIA, any data-protection risks could be identified beforehand.

A controller is obliged to carry out a DPIA if its processing activities are likely to result in a high risk to the individuals’ rights and freedoms. Such high risk may occur if new technologies are used. A DPIA must be prepared before the processing takes place. If the controller has designated the DPO, it must seek the DPO’s advice when carrying out a DPIA.

A DPIA is particularly required in the following situations:

• a systematic and extensive evaluation of personal aspects relating to individuals based on automated processing (including profiling) on which decisions are based that produce legal effects or similarly significantly affect the individual
• processing sensitive data subject request management on a large scale
• a systematic monitoring of a publicly accessible area on a large scale

If the data processing and the collected data may result in a high risk of the rights and freedom of natural persons companies need to evaluate how their processing model may affect natural persons and how to protect these processes from external threats. These impact assessments are required if the company processes (article 35):

1. systematic and extensive evaluation of personal data by automated means;
2. processing large scale special category data or criminal convictions and offences;
3. a systematic monitoring of a publicly accessible area (ex. cameras facing a public area)

When is a DPIA mandatory?

The GDPR Policy Template does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons”.

In this sense, Article 35(3) GDPR Training, provides some examples when a processing operation is “likely to result in high risks”:

– “(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person12;

Who is obliged to carry out the DPIA?

The controller is responsible for ensuring that the DPIA is carried out (Article 35(2)). Carrying out the DPIA may be done by someone else, inside or outside the organization, but the controller remains ultimately accountable for that task.

Privacy by default

By default, all privacy settings should be set to their maximum level. The data collected must be limited for its purpose and kept secure with no manual requirement to change privacy settings from the user.

Privacy by design

Each new service or business process that makes use of personal data must take cookie consent privacy and data protection into consideration during the design phase. There is a specific obligation to implement appropriate technical measures to integrate maximum privacy features into what you do.