According to the Regulation, a DPIA shall be done if:

  • automated processing on which decisions producing legal effects on physical persons are taken,
  • sensitive data processing (including offences and convictions),
  • systematic monitoring a public area on a large scale basis.

It goes without saying that not all companies out there will be required to undertake such activity, however, the DPIA is probably the most comprehensive source of information when it comes to know where your company falls short in GDPR compliance.

Normally a DPIA contains;

  • a description of the data process and its purposes,
  • controller’s legitimate interest,
  • an assessment on the proportionality of the data processes (with the forecasted window for erasure),
  • data subjects’ consent,
  • data subjects’ rights and risk assessment,
  • data protection by design and default

Supervisory authorities can set additional conditions.

Michele La Neve explains the privacy impact assessment assessment according to the GDPR

Therefore, even if not required y the Regulation, a DPIA is a very useful exercise,

  1. it is an important opportunity to assess if data processing is actually grounded (proportionality, consent, erasure)
  2.  risk mapping purposes. If you know riskier practices you can avoid their pitfalls, proactively.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s