Privacy

DPIA

Data Protection Impact Assessment — a risk assessment required before high-risk data processing activities.

A Data Protection Impact Assessment (DPIA) is a process to help organisations identify and minimise the data protection risks of a project or processing activity.

When Is a DPIA Required?

A DPIA is mandatory when processing is likely to result in a high risk to individuals, including:

  • Systematic and extensive profiling with significant effects
  • Large-scale processing of sensitive data
  • Systematic monitoring of a publicly accessible area
  • New technologies that may create novel privacy risks

What a DPIA Contains

  • A description of the processing and its purposes
  • An assessment of necessity and proportionality
  • An assessment of risks to data subjects
  • The measures planned to address those risks

GDPR Article 35. Also see privacy impact assessment.

Related Terms

Privacy by DesignPrivacy

An approach that embeds privacy protections into systems and processes from the start, rather than adding them later.

DPOPrivacy

Data Protection Officer — an independent expert responsible for monitoring an organisation's data protection compliance.

ProfilingPrivacy

Any form of automated processing of personal data to evaluate or predict aspects of a person's behavior, preferences, or characteristics.

GDPRLegal

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

Privacy Impact AssessmentCompliance

A systematic process for evaluating how a project or system will affect the privacy of individuals.

DPO