A data protection impact assessment (DPIA) is necessary if a type of your data processing might result in a high risk to the freedom and rights of natural persons.

DPIA - Data Protection Impact Assessment

DPIA Decision TreeGuidelines on Data Protection Impact Assessment by Article 29 Working Group, page 7, April 4, 2017. PDFWithin GDPR, controllers (= responsible person) must ensure the protection of personal data that they are processing. In case, that for an activitiy there is a high risk for the personal rights and freedoms of the natural people, then you need to do a risk assessment for this processing activitiy.

Within this DPIA there needs to be a risk analysis with probability and impact of a data breach. You will have to find measures to reduce probability and impact so that the risk of the processing activities is minimised. If there would still be a high risk, you have to inform the supervisory authorities.

The Article 29 Data Protection Working Party has published guidelines on how to do a DPIA and it is not necessary for all processing activities. A DPIA can also assess multiple, similar operations at the same time.

In the same statement (2017, p. 9-11), the Working Party has also named 9 criteria for processing operations that might lead to an assessment - if at least two criteria are met:

  1. Evaluation or scoring
  2. Automated-decision making with legal or similar significant effect
  3. Systematic monitoring
  4. Sensitive data or data of a highly personal nature
  5. Data processed on a large scale
  6. Matching or combining datasets
  7. Data concerning vulnerable data subjects
  8. Innovative use or applying new technological or organisational solutions
  9. processing in itself "prevents data subjects from exercising a right or using a service or a contract"

Consider also that the DPIA needs to be carried out before the initial start of the data processing activity or application. DPIA is a useful way to determine the risk and impact of your data processing and if your activities are GDPR compliant. (Article 35 GDPR)