This website uses cookies. View our cookie policy

GDPR Data Protection Impact Assessments (DPIAs)


Under the new EU General Data Protection Regulation (GDPR), organisations must carry out DPIAs for any new processing operation of personal data that is likely to create “high risks to the rights and freedoms of natural persons”. The DPIA “should include the measures, safeguards and mechanisms envisaged for mitigating” the identified risks.


When is a DPIA needed?

The GDPR states three cases in which DPIAs must be conducted:

  1. “Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling”.

  2. Where processing sensitive data (e.g. health data, race, political opinions etc.) on a large scale.

  3. ”Systematic monitoring of a publicly accessible area on a large scale”.

    The Regulation also stipulates that national data protection authorities must make public a list of the kind of processing operations that are subject to these requirements.


What do DPIAs require an organisation to do?

DPIAs require an organisation to document:

  • A description of the processing.
  • An assessment of the necessity and proportionality of the processing.
  • An assessment of the necessity and proportionality of the processing.
  • An assessment of the risks to individuals, and the measures taken to address those risks.


What is ‘privacy by design’?

DPIAs are an integral part of taking a privacy–by-design approach.

Privacy by design means that privacy issues are considered and embedded into a programme’s design from an early stage.


What are the benefits of privacy by design?

Taking a privacy-by-design approach is important for reducing privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind can lead to the following benefits:

  • Potential problems are identified at an early stage.

  • Addressing problems early will often be simpler and less costly.

  • Awareness of privacy and data protection will increase across the organisation.

  • Organisations are more likely to meet their legal obligations.

  • Organisations will be less likely to breach the GDPR.

  • Actions are less likely to be privacy intrusive and have a negative impact on individuals.