Streamlined Compliance in
Regulated Environments

When Is a DPIA Necessary? A Guide for Businesses

A Data Protection Impact Assessment is a process designed to describe the processing of personal data, determine its purposes and proportionality and to identify risks with the aim of preventing them from having an impact on the rights and freedoms of natural persons. The European legislation mandates organizations to perform a DPIA if processing of data on a large scale is likely to result in a high risk to the rights and freedoms of individuals.

gathering data

Image by macrovector on Freepik

According to the General Data Protection Regulation, there are three types of processing that will always require a DPIA:

  • sensitive data processed on a large scale
  • publicly accessible places systematically monitored on a large scale
  • automated processing (including profiling) used for decisions that produce legal effects concerning individuals

While the GDPR fails in defining high risk/large scale and determining who is at risk proves rather difficult, European member states through their regulating authorities have taken matters into their own hands. Countries such as France, Germany, Italy, Estonia, Hungary, Romania, The Netherlands, etc., have published (draft) lists containing data processing activities that could be subject to a Data Protection Impact Assessment. In other words, conducting a DPIA could become an accountability obligation depending on the jurisdiction applicable to the state where data is collected, processed, stored, etc.

In the Article 29 of The Working Party on the Protection of Individuals with regards to the processing of personal data, 9 criteria (processing operations) are referred to as potential subjects to DPIAs due to their inherent high risk:

  1. Analyzing, profiling and predicting aspects such as economic state, health, personal interests, behavior, local, movements
  2. Decisions based on automated processes
  3. Collecting personal data on a large scale through systematic monitoring of a publicly accessible area without explicitly prior informing the subjects about the reasons and purposes
  4. Processing highly sensitive data such as medical data, individuals’ political opinions, criminal convictions, etc.
  5. Data processed on a large scale
  6. Combining two data sets which were initially collected and intended for different purposes
  7. Processing of data belonging to vulnerable individuals
  8. Processing data using innovative technologies of which the social consequences are not yet established
  9. Processing data results in preventing individuals from exercising their rights, using a service or a contract

Conducting a DPIA is not an easy task, however, apart from converting into a legal obligation, this risk assessment can also prove highly beneficial to organizations specifically to those that are constantly introducing new elements or updating their processing activities.

Are you uncertain whether you need to conduct a Data Protection Impact Assessment (DPIA)? Don’t leave compliance to chance! Chekt can help you navigate the complexities of data protection regulations. We can assess your situation and provide clarity on whether a DPIA is necessary for your project. Reach out to us today for guidance and ensure your business stays compliant and protected!

  Back to Articles