DPIA (Data Protection Impact Assessment)
Data Protection Impact Assessment under Article 35 GDPR — mandatory where high risk is likely
TL;DR
A Data Protection Impact Assessment (DPIA) is mandatory under Article 35 GDPR where processing is likely to result in a high risk to the rights and freedoms of natural persons — e.g. systematic evaluation, processing of sensitive data on a large scale, systematic monitoring of publicly accessible areas.
What is a DPIA (Data Protection Impact Assessment)?
A DPIA is not mandatory for every processing. It only applies where a threshold analysis indicates that 'high risk is likely'. Supervisory authorities publish must-lists (e.g. DSK 'List of Processing Operations Requiring a Mandatory DPIA' 10/2018) which name the following indicators: systematic evaluation, large volumes of sensitive data (Article 9), systematic monitoring, new technologies (AI, biometrics), vulnerable persons (children, patients), data transfers to third countries without an adequacy decision. Contents of a DPIA (Article 35(7)): description of the processing, necessity assessment, risk assessment, measures to mitigate the risk.
Practical example
An e-commerce company introduces an AI-based recommendation system that analyses usage patterns. Prior to deployment, a DPIA is carried out: - Systematic description: which data, sourced from where, for what purpose, for how long - Necessity assessment: would a less intrusive approach be possible? - Risk assessment: profiling, risk of discrimination, repurposing - Mitigation: pseudonymisation, opt-out, bias testing, 90-day retention - DPO consultation, works council information