How to conduct a data protection impact assessment



Every company nowadays is fuelled by data. The database of a company may comprise personally identifiable information (PII) or sensitive data whose collection, storage, and processing may expose it to numerous kinds of privacy breach including cyber risks. To encounter such risks, GDPR has laid down guidelines for conducting DPIA that helps an organisation be it a controller or a processor to systematically analyse, identify and mitigate the data protection risks.

DPIA composes the cybersecurity and privacy program of any organisation. A key mandate under the European Union's GDPR (General Data Protection Regulation), DPIA allows an organisation to make informed decisions about the accountability of data protection risks and communicate the same with affected individuals efficiently. Conducting a DPIA before processing sensitive data of consumers reflects how responsible an organisation is towards compliance with data protection obligation--and keeping data subjects' valuable info safe and sound.

As per Article 35(1), GDPR, the requirement for carrying out DPIA is defined as :

“where a type of processing in particular using new technologies, and taken into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risk.”

The DPIA is designed to systematically and comprehensively analyze the organisation’s personal data processing activities and the inherent risks of processing the personal data. It helps the company to identify and prevent risk related to data protection and privacy. It helps the company to avoid any penalty that may be imposed due to lack of systems and processes while processing the personal data of an individual.

Article 25 under GDPR enshrines data protection by design and by default. DPIA incorporates privacy by design into a project, which means that the project gets an embedding of data privacy features and privacy-enhancing technologies into the design of a project at a preliminary stage. Data protection by default means that the settings configured to tune processing should be automatically data protection-friendly. DPIA accomplishes both principles competently.

Source : GDPR General Data Protection Regulation - DATA SECURE

When is a DPIA required?

It is required to annually conduct a DPIA assessment to evaluate the risk exposure and its impact on sensitive data contained within a database. As per Article 35(1) of GDPR, the likelihood of high risk to the rights and freedoms of individuals whenever links with the processing of user data, particularly with the use of new technology, a need for DPIA comes into action. Conducting a DPIA may be required in the following scenarios:

  • Large scale processing of sensitive data;
  • Large scale monitoring of public areas;
  • Evaluation of an individual’s personal aspects, including profiling and predicting;
  • Automated-decision making;
  • Matching or combining multiple datasets;
  • Innovative technology brought into use for processing;
  • Processing prevents data subjects from exercising a right;
  • Transferring data outside the EU.
Processing activities when DPIA is needed according to GDPR WP 248:
  • Use of new technologies
  • Use of profiling on access to services
  • Targeting and Profiling of children
  • Collecting personal data without providing the privacy notice
  • Processing of location data
  • Processing of biometric data
  • Processing of generic data
  • Behaviour and location tracking
  • Data processing that might endanger an individual’s physical health or safety in case of a security breach
  • Combining data sets from various sources

It should be ascertained that DPIA takes place before the processing of data. In addition, DPIA should act as a living tool, not as a one-off exercise, used throughout the planning and development of a project. In case, measures put in place fail to dilute residual risks, the data controller should seek the consultation of DPO before processing data.

DPIA is not required when processing of data does not lead to a significant risk to the rights and freedoms of natural persons. If DPIA for processing has already been carried out and conducting a DPIA once more may demonstrate similar nature, scope, context, and purposes, in such a case, previous results of DPIA can be used. For a group of projects having a similar processing operation, conducting a single DPIA can cover all. For a combined project, the engaging data controllers can even do a joint DPIA.

Article 35(5) of GDPR provides some leeway to the data controllers with a list (yet to be finalised by the supervisory authority) on which DPIA won’t be required. The UK and some European Union member states have bifurcated processes into ‘Blacklists’ and ‘Whitelists’ to guide businesses into conducting a DPIA.

How to conduct a DPIA

Conducting a DPIA is a complex and challenging task. According to GDPR Articles 35(1) and 35(10), recitals 90 and 93, DPIA should be conducted prior to the processing. Varying with the goals and data protection risks attached to a project’s lifespan, DPIA may act either as a one-off operation or as a continuous process as the project moves forward.

GDPR Article 35(7) and recitals 84 and 90 outline the minimum instructions to carry out a DPIA:
  • A detailed description of the envisaged processing operations, including purposes of the processing, categories of personal data processed;
  • An assessment of the necessity of the data processing, in combination with proportionality check of data processing vis-à-vis the purpose of the DPIA;
  • An assessment of the data protection risks to data subjects;
  • A description of measures to address the data protection risks, including security measures and mechanisms to ensure compliance with GDPR policies.
Key elements of carrying out a successful data protection impact assessment:

1. Identify the necessity for a DPIA From the list described in the section “When is a DPIA required,” companies should at first evaluate whether they qualify to conduct a DPIA.

2. Identify the involving parties This step unfolds into identifying the persons to be involved in the assessment. The Data Protection Officer (DPO) and the person in charge of the project should by default be its part. Additionally, industry experts from legal, infosec, IT, etc. may be consulted to help with DPIA. If a data processor is helping a company process data, that data processor should assist with doing the DPIA and avail necessary information.

3. Describing the information flows This stage encapsulates data collection, storage, usage and eradicating personal information. How will the data be collected; how will it be used; where will it be stored; who has the access to this data; the parties with which data will be shared; security measures put in place to protect the data--all these issues should be outlined. If it’s envisaged that the project could stem new information, its inclusion should be mapped in the record of this stage.

4. Determining the scope of data It may take various key points into consideration to set boundaries around the collection, use, sharing and transfer of personal data:

  • Categories of data collection;
  • Involvement of sensitive data;
  • Quantity of data collection and number of consumers so affected;
  • Whether data processing is localised to a specific area;
  • Data retention period;
  • Measures put in place to keep up with the data rights, such as the right to erasure.

5. Identifying, assessing and mitigating data protection risks

This step comprises most of the assessment. A prioritised list of harms that the processing could cause to data subjects should be worked out, considering the inability to exercise data rights, identity theft, reputational and financial damage, loss of trust, etc.

A risk analysis of data inventories should be carried out. Risk analysis takes into account identifying datasets whose theft, loss, or exposure would negatively impact operations; business processes dependent on that data; threats that could affect the organisation’s ability to operate.

At the helm of conducting a DPIA sits the identification and minimisation of data protection risks. Steps should be set out to remedy issues that may have sparked off of assessments. Risks if not totally eliminated should at least be minimised; companies should accept the residual risks as part of the processing and bother not much about its complete elimination.

6. Recording the DPIA outcomes and signing off Maintaining a regular log of steps involved ensures the thoroughness of the process. It also comforts stakeholders that all the necessary data protection risks have been considered. Finally, the DPIA process concludes with a confirmation from the respective parties that the evaluation, findings, and strategies laid out in the DPIA have been approved by them. Once DPIA relating to the processing signs off, it goes without saying to integrate the findings back into the project plan.

Significance of conducting a DPIA

Conducting a DPIA increases awareness regarding data protection risks associated with a project. It also uplifts interaction with stakeholders in accordance with data privacy risks. Failure to carry out a DPIA may attract enforcement action, not to mention fines of up to 10 million euros, or 2% of global annual turnover, whichever is higher.

Some of the benefits of conducting a DPIA include:

  • Demonstration of compliance with GDPR and thereby, avoidance of sanctions and penalties attached to non-compliance;
  • Confidence building in public, with an improved stance on data protection and transparency;
  • Trust development in users that their data protection rights are not being violated;
  • Integration of privacy by design and by default into new projects;
  • Cost reduction with optimised data flow and elimination of non-essential data collection and processing.

Source : ARTICLE29 - Item (

We at Data Secure ( can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe.

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at or

For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE - Privacy Automation Solution