First thing first, what does the acronym DPIA stand for? DPIA indicates Data Protection Impact Analysis. What is it concretely? It is a procedure that describes a data processing and identifies its needs, its adequacy and its risks. All of this has a specific purpose: face these risks in a correct way. The DPIA concerns all of the processing operations that present the same analogies in terms of nature, risks, purposes, means.
DPIA: the content
Article 35 of the GDPR defines the content of a DPIA:
- a systematic description of the processing operations and the related purposes. In addition, where possible, the legitimate interest pursued by the controller;
- in relation to the purposes, an assessment of the proportionality and the necessity of the processing operations;
- an assessment of the risks to the rights and freedoms of the data subjects;
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
in collaboration with
DPIA, when is it mandatory?
The key point is understanding whether or not a DPIA is mandatory. Here you can find a list of circumstances. Basically, these circumstances indicate if and why the DPIA is mandatory:
The DPIA is mandatory:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”
Particularly in these cases:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of particular categories of data;
- systematic large scale monitoring of a publicly accessible area.
A DPIA is not mandatory when:
- processing does not present a high risk for the data subjects;
- a DPIA has already been carried out on a comparable processing;
- processing has already been controlled by the supervisory authority within May, 25 2018 and the features of the processing are not changed.
DPIA: additional information
DPIA must be carried out before the processing takes place. Basically, it is a preliminary assessment subject to regular and periodic updates.
Who’s responsible for the DPIA? The controller. He is the person in charge but it’s possible that the DPIA is carried out by someone else. Anyway, the controller must monitor the process.
Swascan services ( specific GDPR consultation and CyberSecurity consultation ), help companies with compliance. Moreover, our GDPR Assessment, allows to determine the compliance gap and provides a detailed action plan to fill this gap. Click the button below for a free trial of our services:
in collaboration with
In order to assure to your business the best tool available, Swascan together with Raoul Chiesa ( Raoul Chiesa interview ) developed a special cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platform and have an in-depth look at our services. Our four services cover all the governance needs in terms of risk management and periodic assessment. Basically, the right tools to understand your focus areas are Vulnerability Assessment, Network Scan, Code Review and GDPR Assessment. Last but not least, don’t forget GDPR: our platform is 100% GDPR compliant ( GDPR infographic ) and to provide a full documentation here you can find some information about the new figure introduced by this law: DPO .