According to the Regulation, a DPIA shall be done if:
- automated processing on which decisions producing legal effects on physical persons are taken,
- sensitive data processing (including offences and convictions),
- systematic monitoring a public area on a large scale basis.
It goes without saying that not all companies out there will be required to undertake such activity, however, the DPIA is probably the most comprehensive source of information when it comes to know where your company falls short in GDPR compliance.
Normally a DPIA contains;
- a description of the data process and its purposes,
- controller’s legitimate interest,
- an assessment on the proportionality of the data processes (with the forecasted window for erasure),
- data subjects’ consent,
- data subjects’ rights and risk assessment,
- data protection by design and default
Supervisory authorities can set additional conditions.
Therefore, even if not required y the Regulation, a DPIA is a very useful exercise,
- it is an important opportunity to assess if data processing is actually grounded (proportionality, consent, erasure)
- risk mapping purposes. If you know riskier practices you can avoid their pitfalls, proactively.