The phrase ‘rights and freedoms’ occur often in the text of the GDPR.  A Data Protection Impact Assessment (DPIA) can be a useful tool for assessing the impact of processing personal data on the rights and freedoms of individuals. Also known as a ‘privacy impact assessment’, a DPIA has two main values:

  • incorporating data protection considerations into organisational planning; and.
  • demonstrating compliance with supervisory authorities.

If you have a DPO, they are tasked to ‘provide advice where requested as regards the DPIA and monitor its performance’ according to Article 39(1)(c)

 When is a DPIA required? 

A DPIA is required if the processing is ‘likely to entail a high risk to the rights and freedoms of natural persons’. In determining if a DPIA is required the; nature, scope, context, purpose, type of processing and use of new technologies should be considered.

Examples of processing that will require a DPIA include:

  • Conducting ‘a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling; and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person’;
  • Conducting ‘processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences’;
  • Conducting ‘a systematic monitoring of a publicly accessible area on a large scale’

Here are a few more examples of when you might need a DPIA

  • Deciding to use CCTV (particularly facial recognition)
  • Targetting marketing to children
  • Combining Datasets from different sources
  • Tracking location and behaviour

Read more here (Article 35(1))

What should a DPIA include?

A DPIA should include:

  • A description of the processing, including its purpose and the legitimate interest being pursued;
  • The necessity of the processing, its proportionality and the risks that it poses to data subjects;
  • Measures to address those risks (in other words, the data protection by design and data protection by default controls);

When must the supervisory authority be contacted?

Consultation with the supervisory authority is required prior to processing when the DPIA indicates a high risk to data subjects that are not mitigated. In addition to the DPIA, this communication should include:

  • Responsibilities of the controllers and processors Purposes and means of the processing

Measures and safeguards;

  • Contact details of the DPO;

If the supervisory authority thinks the processing will not be compliant with the GDPR or the controller has not sufficiently mitigated the risks, the supervisory authority will provide advice to the controller and can block processing activities within eight weeks (or six additional weeks in complex situations).

DPIA conclusion

In summary, if you are using new technologies or your processing is likely to impact on the rights and freedoms of the Data Subject, a DPIA is an excellent way of showing that you have thought through all of the risks involved, and you can demonstrate this to the Supervisory Authority.



Let us know if we can help you!

Author: Yvonne Morris



twitter: @CloudLegals


CloudLegal is a tech-enabled legal support consultancy which promises practical commercial and jargon-free advice. We support all company matters, commercial contracts/ Ts & Cs (including software and IT), employment & HR as well as data protection matters. We have various services including: