Data protection impact assessment (DPIA)

The DPIA is a way for organisations to systematically and comprehensively analyse data processing and help them to identify and minimize data protection risks. The DPIA is a certain process that has to be carried out in cases where a type of processing, in particular when using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.

Organisations shall carry out DPIA if they plan to:

  • use systematic and extensive profiling with significant effects;
  • process special category or criminal offence data on a large scale;
  • systematically monitor publicly accessible places on a large scale;
  • process biometric data for monitoring or control purposes;
  • record telephone conversations;
  • carry out video monitoring combined with audio recording;
  • monitor employees (monitor employees’ actions and behaviour in e-systems);
  • other.

Your DPIA shall:

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals;
  • identify any additional measures to mitigate those risks.

Benefits that DPIA brings:

  • demonstrates that your organisation complies with GDPR.
  • ensures that users are not at risk of violating their data protection rights.
  • reduces operation costs by optimising information flows within projects and eliminates unnecessary data collection and processing.
  • reduces data security risks within your organisation.
  • reduces cost and disruption of data protection safeguards by integrating them into project design early.

ECOVIS ProventusLaw can:

  • conduct Data Protection Impact Assessment, which includes an assessment of personal data processing operations from the perspective of IT security (technical security measures).
  • consult when and how Data Protection Impact Assessment should be carried out,
  • prepare and/or revise procedures related to Data Protection Impact Assessment.

Our team is experienced in carrying out DPIAs for biometric data processing, recording telephone conversations, employee monitoring, CRM systems, innovative systems handling large amounts of personal data, data management systems, data transfers to third countries and other data processing operations.

Loreta Andziulytė

Attorney at law, Partner of the Law Firm, Certified Data Protection Expert, Lawyer

Contact person