Data Protection Impact Assessments Under the GDPR
Article 35 of the GDPR deals with Data Protection Impact Assessment. The DPIA is a new condition under the GDPR as a component of the “protection by design” rule. Before the processing, the controller should conduct an assessment of the effect of the foreseen processing operations on the safety of individual data.
This rule applies to any instance in which the method of processing is likely to pose a significant risk to the freedoms and rights of the data subjects. Specifically, it covers processing methods that employ new technologies and takes into account the scope, nature, purposes and context of the processing.
DPIA is thus required by law according to certain conditions. The following are concrete examples of the sorts of situations that may demand a DPIA:
- Using new technologies
- Tracking individual’s behavior or location
- Methodically monitoring a publicly accessible location on a big scale
- Dealing with personal information connected to ethnic or racial origin, philosophical or religious beliefs, political opinions, genetic data, data concerning health, biometric data, etc,
- Data processing is employed to automate decisions about individuals that may have legal or otherwise significant implications
- Processing data about children
- Processing data that may lead to physical harm to the data subject if the information were leaked
Even in cases where the data being processed does not qualify as high-risk, it may still be worthwhile to carry out a DPIA to reduce your liability and to make sure best practices for data security and privacy are in place. Note that data breaches are often subject to various regulatory requirements.
Related content: Read our guide to data protection regulations