Data protection impact assessment (DPIA)

Data Protection Impact Assessment is a novelty of GDPR. The DPIA is a way for organisations to systematically and comprehensively analyze their processing and help them to identify and minimize data protection risks. The DPAI is a certain process which has to be carried out in cases where a type of processing, in particular when using new technologies, and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons. Furthermore, the assessment of data protection impact is carried out by assessing the impact of data protection for technological product, i.e. the use of hardware or software for the process of personal data.

GDPR states that organisations shall carry out DPIA if they plan to:

  • use systematic and extensive profiling with significant effects;
  • process special category or criminal offence data on a large scale; or
  • systematically monitor publicly accessible places on a large scale.

Your DPIA shall:

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals;
  • identify any additional measures to mitigate those risks.

Benefits that DPIA brings:

  • Demonstrates that your organisation complies with GDPR.
  • Ensures that users are not at risk of their data protection rights being violated.
  • Reduces operation costs by optimising information flows within projects and eliminates unnecessary data collection and processing.
  • Reduces data protection risks within your organisation.
  • Reduces cost and disruption of data protection safeguards by integrating them into project design at an early stage.

ECOVIS ProventusLaw can:

  • Conduct Data Protection Impact Assessment;
  • Consult when to carry out Data Protection Impact Assessment and how to perform it. Prepare and/or revise procedures related to Data Protection Impact Assessment.

Loreta Andziulytė

Lawyer, attorney at law, partner of the law firm, CIPP/E.

Contact person