Under Article 35(1), Data Controllers will be required to carry out data protection impact assessments (a “DPIA”) if their proposed activities are likely to result in “a high risk for the rights and freedoms of individuals”, in particular, through the use of new technologies and in cases of profiling.

This is an internal policy to be used by a business setting out the principles and legal conditions around the performance of DPIAs in the course of their operations and activities. It is tailored to comply with the GDPR.

DPIAs should be carried out in various instances e.g. when:

  • introducing a new IT system that stores or processes PD developing internal policy or strategies that have data privacy implications
  • sharing data with other offices or externally
  • introducing new reasons to process data
  • upgrading existing processes where personal data exists

A DPIA should include:

  • a description of the processing, including its purpose and the legitimate interest being pursued;
  • the necessity of the processing, its proportionality and the risks that it poses to data subjects;
  • measures to address those risks (in other words, the data protection by design and data protection by default controls).

In addition to the DPIA, this communication should include:

  • responsibilities of the Data Controllers and Data Processors
  • purposes and means of the processing
  • measures and safeguards
  • contact details of the DPO

A DPIA can be a useful tool for assessing the impact of processing personal data on the rights and freedoms of individuals.

See more on DPIAs here:

Read our GDPR blog post to learn more and download our FREE GDPR Awareness Q&A Fact Sheet.

Get your templates
You can save money by purchasing a full suite of GDPR templates to tailor for your business.
Get your templates
Browse GDPR Templates
We have a suite of pre-order GDPR templates available for you to purchase separately and tailor for your business.
Browse GDPR Templates