Data Protection Impact Assessment (DPIA)

If an intended personal data-processing activity is likely to result in a high risk to the rights and freedoms of natural persons, a Data Protection Impact Assessment (DPIA) must be performed prior to the processing.

A DPIA is a tool designed to identify and assess in a structured and standardised manner how data subjects might be affected by intended regulations or projects in which personal data will be processed. Based on this assessment, measures are then taken to prevent or mitigate these effects on data subjects. A DPIA also demonstrates that the processing activity in question has satisfied the requirements laid down in the GDPR.

You are required to perform a DPIA for processing activities which are likely to result in a high risk to the rights and freedoms of the data subjects. For processing activities which are not likely to result in such a high risk, you do not need to perform a DPIA.

According to the GDPR, a high risk is involved in any case when you:

• carry out a systematic and extensive evaluation of personal aspects which is based on automated processing, including profiling, and which you use as a basis to make decisions that produce legal effects for the data subject or otherwise significantly affect the data subject;
• process special categories of personal data or personal data relating to criminal convictions and offences on a large scale;
• systematically monitor people in publicly accessible areas on a large scale (e.g. using camera surveillance).

This is not an exhaustive list. Although the GDPR specifically mentions these three situations, a DPIA must be performed for all situations with a potentially high risk for data subjects. The supervisory authorities use the following rule of thumb to determine whether or not a high risk might be involved.

A high risk is involved if the intended processing activity meets two or more of the nine criteria below:

1. evaluation of persons or scoring;
2. automated decision-making with legal consequences or a similar significant effect;
3. systematic monitoring;
4. sensitive data or data of a highly personal nature;
5. data processed on a large scale;
6. matching or combining of datasets;
7. data concerning vulnerable data subjects;
8. innovative application of new technological or organisational solutions;
9. preventing data subjects from exercising a right or using a service or contract.

The supervisory authorities are responsible for publishing lists of processing activities which require a DPIA.

A model DPIA will be available for the AUAS soon. The document will include a description of the process for performing a DPIA along with a model for use when doing so.

A completed DPIA consists of:

1. a description of the intended processing activities and the purposes of the processing;
2. an assessment of the legal basis, necessity, proportionality and compatibility of the intended processing activities in relation to the purposes;
3. an assessment of the consequences and risks of the intended processing activities with respect to the rights and freedoms of the data subjects;
4. the measures envisaged to address these consequences and risks of the intended processing activities.

The data protection officer is involved in the performance of a DPIA.