Data Protection Impact Assessment

Data Protection Impact Assessment - What is it? How to complete one?

5/1/20201 min read

time lapse photography of water drop
time lapse photography of water drop

Data Protection and Impact Assessment is stated as the 35th article of GDPR. This article is run by “Protection by Design” principle and is a new addition to the GDPR Compliance.


“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

The main objective of the DPIA process is to help identify and minimise the data protection risks of a project. Conducting a DPIA for necessary projects is now mandated, as they are an integral part of taking privacy by design approach.

A DPIA assessment is conducted for a project that involves processing of personal data. Be it a major project which includes high risk or minor projects this assessment is mandated. Ideally a DPIA should be conducted before and during the planning stages of a particular project.

A DPIA should

  • Describe the nature, scope, context and purposes of the processing

  • Assess necessity, proportionality and compliance measures

  • Identify and assess risks to individuals

  • Identify any additional measures to mitigate those risks

DPIA applies if

  • If you’re using new technologies (artificial intelligence, blockchain e.t.c.,)

  • If you’re tracking people’s location or online behaviour

  • If you’re systematically monitoring a publicly accessible place on a large scale (use of CCTVs and other monitoring systems)

  • If you’re processing personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”

  • If your data processing is used to make automated decisions about people that could have legal (or similarly significant) effects

  • If you’re processing children’s data (under age 18)