Data Protection Impact Assessment

Processing Activities | ProvePrivacy | Article Image 28

A Data Protection Impact Assessment (DPIA) is a process that is undertaken when you believe that the activity that you are undertaking has the potential to create a high risk to the data subject.  Within ProvePrivacy, we provide you with a high risk assessment tool to help to determine if a DPIA might be required.

The process will help you to understand the risks and to mitigate them.  If you are unable to reduce the risks to an acceptable level, the DPIA process also helps you to gain assurances from the supervisory authority that you can continue with the activity if required.

You must complete a DPIA for processing that is likely to result in a high risk to individuals, this is assessed within ProvePrivacy via the High Risk Assessment which is an effective screening checklists to help you decide when to do a DPIA.

It is also good practice to do a Data Protection Impact Assessment for any other major project which requires the processing of personal data.

A good DPIA will:

  • describe the nature, scope, context and purposes of the processing
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks.

To assess the level of risk, you should consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

You should consult your DPO (if you have one) and, where appropriate, individuals and relevant experts. A good DPIA will also consult third parties such as your data processors to provide a rounded view of risks and mitigation measures.

If you identify a high risk that you cannot mitigate, you must consult your supervisory authority before starting (or continuing with) the processing.

How can ProvePrivacy Help?

ProvePrivacy allows RoPA users to review each and every activity against the high risk criteria to determine if a DPIA is required. If one is required, then ProvePrivacy provides a template a tracking tool and allows you to upload your final document as evidence.

Manage personal data and privacy risks

Suggested reading

You might also like

Scroll to Top

Contact us

If you would like to ask more questions or to arrange training, complete the form below and we will respond shortly.

See our Privacy Statement for more details.

Get expert tips and business insights