top of page


What is a data protection impact assessment?

According to the risk-based approach adopted in the EU General Data Protection Regulation, the concrete measures required by the Regulation are proportionate to the risk to the data subject's rights and freedoms from the processing of personal data. The controller shall carry out an assessment of the risks associated with the processing of personal data in order to determine, on the basis of this assessment, the necessary safeguards and other organizational and technical measures corresponding to the risk. Risks refer to any physical, material or non-material damage that may be caused to the data subject by the processing of personal data, for example where the processing may lead to discrimination, identity theft or fraud, financial loss, social damage or revocation of pseudonymisation.

The purpose of the data protection impact assessment (DPIA) is to identify, assess and manage the risks associated with the processing of personal data. The controller must always assess the risks associated with the processing of personal data before proceeding with the processing of personal data.

When should DPIA be done?

An impact assessment must be carried out where the planned treatment is likely to pose a high risk to human rights and freedoms. An impact assessment must be carried out in particular where:

  • new technology is used to process personal data

  • dealing extensively with criminal convictions, offenses or specific categories of personal data, such as health data, ethnic origin, political opinions, religious beliefs or sexual orientation;

  • a person's personal qualities are assessed through automated processing, systematically and comprehensively, and the assessment leads to decisions that have legal effects or otherwise have a significant impact on the person;

  • an area open to the public is monitored systematically and on a large scale.

How is the DPIA process progressing in practice?

  1. Preliminary assessment:
    The purpose of the preliminary assessment is to identify the data protection risks of a particular service, information system or business process and to determine whether it is a high-risk treatment that requires an actual data protection impact assessment.


  2. Systematic description in the plans of the processing operations and purposes of the processing:
    If the preliminary assessment indicates that there may be a high-risk processing, proceed to a description of the nature, extent, context and purposes of the processing of personal data.

    The description must indicate 
    where and how personal data is collected;
    - the purposes, uses and functional description of the treatment measures;
    - resources used to process personal data (hardware, software, people, documents or channels used to transmit documents);
    - persons having access to the data;
    - the different actors and the purposes for which the data will be disclosed:
    - the retention period and how the data will be securely disposed of.


  3. Assessment of the necessity and proportionality of the processing operations:
    Evaluate the processing for the effective implementation of data protection principles, ensure the exercise of the data subject's rights and identify other rights and freedoms related to the processing of personal data.


  4. Assessment of the risks to the data subjects' rights and freedoms:
    Identify the risks associated with the processing of personal data, taking into account the nature, extent, context, purposes and origin of the risk.

    Risks may include, but are not limited to,
    - security breaches,
    - ambiguities in purpose and legality,
    - spying,
    - unauthorized processing,
    - deficiencies in the usability of personal information,
    - processing of excessive or incorrect information.


  5. A plan to address the risks:
    Make a plan of ways to reduce the risks.

    Means may include, but are not limited to,
    - a decision not to process certain types of data,
    - clarification or delimitation of the subject matter,
    - reduction of retention periods,
    - anonymisation or pseudonymisation of personal data,
    - introduction of written processing instructions,
    - increased human participation in automated decisions,
    - use of different technologies,
    - introduction of clear agreements on exchange of information,
    - providing the data subject with the right to object, where possible, or
    - setting up systems and procedures to support the exercise of individuals' data protection rights.


  6. Documentation of the impact assessment:
    Document the above measures and take responsibility and schedule the implementation and monitoring of the plan.


  7. Implementation of the plan

  8. Prior consultation:
    A prior consultation will be carried out if the impact assessment shows that the processing would pose a high risk to the data subject and the controller has not taken a lower risk through his own actions.


  9. Implementation of the data protection authority's written instructions:
    If the DPA approves the processing by issuing written instructions, the instructions will be implemented in practice.


  10. Monitoring:
    Monitoring the implementation and processing of measures. Revise the impact assessment if the treatment changes significantly.

In practice, DPIA often requires the input of different experts, such as the person in charge of the business process, the IT architect, the data protection officer and the data security officer.

How can Legal Folks help?

In addition to developing DPIA tools and processes, we have been involved in evaluating a number of information system projects, business processes and innovative data utilization entities. With our help, you can effectively implement and document the DPIA process, and you can save time for your own core business.

bottom of page