Do you want to avoid GDPR pitfalls? Perform a Data Protection Impact Assessment

This post is also available in: it fr es

According to the Regulation, a DPIA shall be done if:

  • automated processing on which decisions producing legal effects on physical persons are taken,
  • sensitive data processing (including offences and convictions),
  • systematic monitoring a public area on a large scale basis.

It goes without saying that not all companies out there will be required to undertake such activity, however, the DPIA is probably the most comprehensive source of information when it comes to know where your company falls short in GDPR compliance.

Normally a DPIA contains;

  • a description of the data process and its purposes,
  • controller’s legitimate interest,
  • an assessment on the proportionality of the data processes (with the forecasted window for erasure),
  • data subjects’ consent,
  • data subjects’ rights and risk assessment,
  • data protection by design and default

Supervisory authorities can set additional conditions.

Michele La Neve explains the privacy impact assessment assessment according to the GDPR

Therefore, even if not required y the Regulation, a DPIA is a very useful exercise,

  1. it is an important opportunity to assess if data processing is actually grounded (proportionality, consent, erasure)
  2.  risk mapping purposes. If you know riskier practices you can avoid their pitfalls, proactively.



Published by

Michele La Neve

White Collar Crime Attorney at Whitecotton Law Dedicated to Helping Clients Overcome Unforeseen Business Risks.

Leave a Reply