The instrument for a privacy impact assessment (PIA) or data protection impact assessment (DPIA) was introduced with the General Data Protection Regulation (Art. 35 of the GDPR). This refers to the obligation of the controller to conduct an impact assessment and to document it before starting the intended data processing. One can bundle the assessment for several processing procedures.
Basically, a data protection impact assessment must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons. The assessment must be carried out especially if one of the rule examples set forth in Art. 35(3) of the GDPR is relevant. In order to specify the open-ended wording of the law regarding the basic obligation to perform a privacy impact assessment, the supervisory authorities are involved. In a first draft, the Article 29 Working Party created a catalogue of ten criteria which indicate that the processing bears a high risk to the rights and freedoms of a natural person. These are for example scoring/profiling, automatic decisions which lead to legal consequences for those impacted, systematic monitoring, processing of special personal data, data which is processed in a large scale, the merging or combining of data which was gathered by various processes, data about incapacitated persons or those with limited ability to act, use of newer technologies or biometric procedures, data transfer to countries outside the EU/EEC and data processing which hinders those involved in exercising their rights. A privacy impact assessment is not absolutely necessary if a processing operation only fulfils one of these criteria. However, if several criteria are met, the risk for the data subjects is expected to be high and a data protection impact assessment is always required. If there is doubt and it is difficult to determine a high risk, a DPIA should nevertheless be conducted. This process must be repeated at least every three years.
In addition, the national supervisory authorities have to establish and publish a list of processing operations which always require a data protection impact assessment in their jurisdiction (positive list). They are also free to publish a list of processing activities which specifically do not require a privacy impact assessment (negative list). If a company has appointed a Data Protection Officer, his advice must be taken into account when conducting a DPIA. How and by what criteria the consequences and risks for the data subjects are assessed, remains largely unanswered. The first templates were guided by the inspection schemes of ISO standards or the Standard Data Protection Model.
Suitable GDPR articlesArt. 5 GDPR Principles relating to processing of personal data Art. 35 GDPR Data protection impact assessment Art. 36 GDPR Prior consultation Art. 57 GDPR Tasks
Suitable Recitals(75) Risks to the Rights and Freedoms of Natural Persons (84) Risk Evaluation and Impact Assessment (89) Elimination of the General Reporting Requirement (90) Data Protection Impact Assessement (91) Necessity of a Data Protection Impact Assessment (92) Broader Data Protection Impact Assessment (93) Data Protection Impact Assessment at Authorities (94) Consultation of the Supervisory Authority (95) Support by the Processor (96) Consultation of the Supervisory Authority in the Course of a Legislative Process
- European Commission ► When is a Data Protection Impact Assessment (DPIA) required? (Link)
- Article 29 Data Protection Working Party ► WP 248 – Guidelines on Data Protection Impact Assessment (DPIA) (Link)
- European Data Protection Supervisor ► Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit (Link)
- Data Protection Authority UK ► Data Protection Impact Assessments (Link)
- Data Protection Authority UK ► Guidance for UK organisations on Data Protection Impact Assessments (DPIAs) (Link)
- Data Protection Authority France ► PIA method and software (Link)
- Data Protection Authority France ► Liste des types d’opérations de traitement pour lesquelles une analyse d’impact relative à la protection des données est requise (Link)
- Data Protection Authority Ireland ► Data Protection Impact Assessments (DPIA) (Link)
Data Protection Authority Ireland ► List of Types of Data Processing Operations which require a DPIA (Link)
- Data Protection Authority Luxembourg ► Data Protection Impact Assessment (DPIA) (Link)
- ► Handbook on European data protection law – Data protection impact assessment and prior consultation, page 179 (Link)
- Bitkom ► Risk Assessment & Data Protection Impact Assessment (Link)
- ISO ► ISO/IEC 29134:2017 – Guidelines for privacy impact assessment (Link)
- IAPP ► A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation (Link)
- CIPL ► Risk, High Risk, Risk Assessments and Data Protection Impact Assessments under the GDPR (Link)
- CIPL ► How Organisations can Deliver Accountability under the GDPR (Link)