Data Protection Impact Assessments under the GDPR

What is a DPIA?

A DPIA (data protection impact assessment) is a process that helps organisations identify and minimise risks that result from data processing. DPIAs are usually undertaken when introducing new data processing processes, systems or technologies.

Why are DPIAs important?

DPIAs are a legal requirement under the GDPR (General Data Protection Regulation) for data processing that is likely to be ‘high risk’. Failure to carry out a DPIA when required may leave you open to enforcement action. This can include a fine up to 2% of your organisation’s annual global turnover or €10 million – whichever is greater.

Regular DPIAs supports the GDPR’s accountability principle, helping organisations demonstrate compliance. Conducting a DPIA can also help increase awareness of privacy and data protection issues within an organisation.

Read more about the fines and penalties under the GDPR >>

Key elements of a successful DPIA

The GDPR does not specify which DPIA process must be followed, but instead allows organisations to introduce a framework that complements their existing working practices. 

When initiating a DPIA as part of your organisation’s GDPR compliance project, it is important to identify whether you have the right training, resources and expertise to fulfil the DPIA requirements.

The key elements of a successful DPIA are:

  • Identifying whether a DPIA is required;
  • Defining the characteristics of the project to enable the risks to be assessed;
  • Identifying data protection and related risks;
  • Identifying data protection solutions to reduce or eliminate the risks;
  • Signing off on the outcomes of the DPIA; and
  • Integrating data protection solutions into the project.
  • The Regulation also stipulates that national data protection authorities must make public a list of the kind of processing operations that are subject to these requirements.

In addition, the GDPR provides that each Supervisory Authority must produce further guidance as to those processing activities which requires a DPIA and those which do not. 

When should a DPIA be conducted?

A DPIA should be conducted as early as possible within any new project lifecycle, so that its findings and recommendations can be incorporated into the design of the processing operation.

Known as ‘privacy by design’, the embedding of data privacy features in the design of projects can have the following benefits:

  • Potential problems are identified at an early stage.
  • Addressing problems early will often turn out easier and cheaper.
  • Increased awareness of privacy and data protection across the organisation.
  • Organisations will be less likely to breach the GDPR.
  • Actions are less likely to be privacy intrusive and have a negative impact on individuals.

What is ‘privacy by design’?

DPIAs are an integral part of taking a privacy–by-design approach.

Privacy by design means that privacy issues are considered and embedded into a programme’s design from an early stage.

Who should be involved in a DPIA?

Data controllers are responsible for ensuring the DPIA is carried out correctly.

The DPIA should be conducted by people with appropriate expertise and knowledge of the project in question, normally the project team. If your organisation does not have staff with sufficient expertise and experience, you could consider bringing in external specialists to consult or to carry out the DPIA.

Under the GDPR, any organisation with a designated DPO (data protection officer) must seek the DPO’s advice. This advice and the decisions taken should be documented as a part of the DPIA process.

Examples of personal data processing where a DPIA is likely to be required

  • A hospital processing its patients’ genetic and health data.
  • Archiving pseudonymised sensitive data from research projects or clinical trials.
  • An organisation using an intelligent video analysis system to single out cars and automatically recognise registration plates.
  • A company systematically monitoring its employees’ activities, including their workstations and Internet activity.
  • Gathering public social media data for generating profiles.
  • An institution creating a national credit rating or fraud database.

The EU’s Article 29 Working Party (WP29), in its guidelines on DPIAs, sets out the criteria that organisations should consider when determining the risks posed by a processing operation. The more criteria that a processing activity meets, the more likely it is to present a high risk to the rights and freedoms of individuals, and therefore to require a DPIA.

Read the WP29 guidance on DPIAs >>

Our solutions to help you conduct a DPIA


Speed up and simplify the DPIA (data protection impact assessment) process and ensure compliance with
a key GDPR requirement.

IT Governance offers a Free 7-day trial of our software tools.

DPIA Consultancy Service

Get an on-site, expert assessment of the risks associated with your data processing activities with our fixed-price DPIA consultancy service. 

EU General Data Protection Regulation (GDPR) Documentation Toolkit

Ensure GDPR compliance with IT Governance’s market-leading GDPR documentation toolkit. It contains a complete set of easy-to-use documentation templates, including a DPIA template, and a DPIA tool.

Speak to a GDPR advisor

Please contact our GDPR team for advice and guidance on our products and services.

SAVE 25%