Data Protection Impact Assessment: When is it required and how do you document it properly?
A data protection impact assessment (DPIA) sounds like a lot of work. And although it’s not just a box-ticking exercise it won’t eat up your whole week either – as long as you know when it’s really necessary and what needs to be included.
When is a DPIA required?
A DPIA is always required when processing personal data is “likely to result in a high risk” to the rights and freedoms of data subjects. This can sound very abstract at first.
In practice this means: If two or more of the following characteristics apply to your planned processing, you should have a closer look:
- You process sensitive or highly personal data (e.g., health data, biometric data, union membership).
- You evaluate or classify individuals -for example, through scoring or profiling.
- You systematically monitor people (e.g., through comprehensive video surveillance or the routine review of all log files).
- You process data on a large scale, for example, affecting a very large number of data subjects or continuing over a long period of time.
- You merge or cross-reference data sets from different contexts.
- You process data about individuals with whom there is a significant power imbalance (e.g., employees, patients, children).
- The system used makes automated decisions without human oversight, e.g., regarding job interviews or granting loans.
- You use new technologies whose impact on privacy is not yet fully foreseeable – for example, AI-supported systems.
- Individuals are prevented from exercising their data protection rights.
In addition, data protection supervisory authorities publish so-called “blacklists” of processing activities for which a DPIA is always mandatory. The Bavarian supervisory authority, for example, lists among other things the use of biometric data for unique identification or extensive video surveillance. It’s worth checking out.
What should a DPIA include?
The GDPR sets clear requirements for what a DPIA must contain:
- A systematic description of the planned processing operations – that is: What happens to which data, why, and how?
- An assessment of necessity and proportionality – is the processing truly necessary to achieve the intended purpose?
- An assessment of the risks to the rights and freedoms of the data subjects.
- The planned risk mitigation measures – that is, specific technical and organizational measures (TOMs) that reduce the risk to an acceptable level.
Sound like a lot? It can be sometimes.
But: You already have most of the basics in your data protection documentation (e.g., in foxondo). The DPIA builds on this, consolidating and evaluating what already exists. And it makes it easier to demonstrate that you’ve given this careful consideration.
Where can I find the DPIA topic in foxondo? And how can I document it there?
In every process/data processing activity, you’ll find a separate question regarding the data protection impact assessment. Once you answer this, you’ll know whether you need to conduct a DPIA or not.
In the “Forms & Checklists” module, you’ll find a questionnaire on the topic of DPIA. This allows you to create a DPIA or at least prepare one so that a DPO can review it.
It is best to save the result of the DPIA as a document within the respective process.
Please note: If the process changes significantly, you must review and update the DPIA. This may be the case, for example, if new technologies are implemented or the scope of processing increases significantly.
And if the risk still remains too high?
Then you can consult the competent data protection supervisory authority.
This is called “prior consultation” (Art. 36 GDPR) and rarely occurs in practice—but it’s good to know that this step may be necessary.
Not sure whether a DPIA is required for one of your processes? Check the blacklist published by your relevant supervisory authority—and if in doubt, consult your data protection officer. Better to check one time too many than to leave something undocumented.