Data Protection Impact Assessment

This assessment will provide a comprehensive understanding of the potential risks and vulnerabilities that your company may face in regards to personal data protection. It will also provide clear guidance on how to mitigate these risks and ensure.

Article 35 of the GDPR describes Data Protection Impact Assessments (DPIAs). The purpose of it is to identify and describe all processes that involve personal data within a company. A DPIA is performed to determine the risks associated with data protection, to identify vulnerable points in the security system, and most importantly – to develop procedures to prevent breaches.

A table summarizing the results of the DPIA describes:


What categories, goals, and amounts of personal data the company processes.


The process of collecting and processing data.


The contractors, subcontractors, and employees involved in the process.


Identifying risks, weaknesses, and potential threats.


Planned actions in case of a breach of privacy.


Risk Action Plan

The DPIA is required in two circumstances: either before the start of data collection and processing or when significant changes are made to the company’s already investigated processes. In case you launch a new product, a DPIA is required to assess the risks associated with processing personal data. It is also necessary when the data processing environment changes (new hardware, software, or processing rules are introduced), or when new categories of data are added to existing processes.

The following situations alsorequire an assessment:

Creating electronic records and documents by converting paper-based records and documents.

Consolidating multiple databases into one.

A business’s existing database may be enhanced with personal data gathered from commercial sources.

Modifying the business processes that lead to the collection and use of personal data.

Using third-party suppliers to implement projects.

Changing the nature of personal data due to the addition of new types of information.

The regulation doesn’t specify a frequency for conducting a DPIA since it depends on the company’s activities. This regulation requires a DPIA for every new project that involves personal data.

To protect users’ privacy, interviews, analysis of documents, searching for and detailing business processes that entail risks are long and tedious processes that require attention to detail.

Consider seeking help from certified data protection experts who have conducted dozens of Data Protection Impact Assessments and are familiar with the process.

How does a DPIA benefit you?

Work that requires significant practical experience or in-depth analysis may require significant practical experience. Consultants are more efficient and adept at this type of work.

In case of inspection by the Supervisory Authority, compliance with Article 35 of the Regulation will be assessed.

You will get a table that outlines how all personal data is moved around the company for compliance.

An overview of your organization’s GDPR compliance assessment conducted for customers and partners.

Useful checklists

  1. In order to ensure that our staff understand the importance of considering a DPIA at the earliest stages of any plan involving personal data, we provide training.
  2. DPIA requirements are referenced in our policies, processes, and procedures.
  3. When necessary, we use the screening checklist to determine whether a DPIA is needed for the process.
  4. A DPIA process has been developed and documented.
  5. For relevant staff, we provide training on how to conduct a DPIA.
  1. In any project that involves the use of personal data, we consider conducting a DPIA.
  2. When we plan to do anything else, we consider whether to do a DPIA:
  • Scoring or evaluation;
  • Taking significant decisions through automated decision-making;
  • Monitoring system;
  • Personal or highly sensitive data processing;
  • Scaled-up processing;
  • Vulnerable data subjects’ data processing;
  • Technological or organizational innovations;
  • An action that prevents a data subject from exercising a right or using a service or contract.
  1. We always conduct a DPIA if we want to: 
  • Make significant decisions about people, employ systematic and extensive profiling and automated decision-making;
  • Organize and process large amounts of data related to special categories or crimes;
  • Maintain a large-scale, systematic monitoring of a public area;
  • Utilize innovative technology along with any of the guidelines in the European Union;
  • Use special category data, automated decision-making, or profiling to assess someone’s eligibility for a service, opportunity, or benefit;
  • Perform large-scale profiling;
  • Use biometric or genetic data in conjunction with any of the criteria in the European guidelines;
  • Compile, compare, or match data from multiple sources;
  • Combine any of the criteria in the European guidelines with processing personal data without providing a privacy notice directly to the individual; 
  • Process that involves tracking a person’s location or behavior online or offline, in combination with the European guidelines; 
  • Use children’s personally identifiable information for profiling and automated decisions, or to market to them directly;
  • Process personal data that might result in physical harm in the case of security breaches. 
  1. Whenever anything about our processing changes, we’ll conduct a new DPIA.
  2. In the event we do not conduct a DPIA, we document the reason for the decision.
  1. The scope, context, and purposes of the processing are described.
  2. During the contracting process, we require our data processors to explain and document the processing activities and identify potential risks.
  3. Consultations with stakeholders (or their representatives) are carefully considered.
  4. Our Data Protection Officer advises us.
  5. As part of our data processing review, we describe how we will ensure compliance with the requirements of data protection laws and verify whether the processing is appropriate and proportionate for our purposes.
  6. Risks to a person’s rights and interests are objectively assessed.
  7. To eliminate or reduce high risks, we identify the measures we can take.
  8. As part of the outcome of the DPIA, we record our decision-making, including disagreements with the DPO or individuals consulted.
  9. Our project plan incorporates the measures we identified.
  10. Before processing, if high risks cannot be mitigated, we consult the ICO.
  11. Our DPIAs are reviewed whenever necessary.
  1. Ascertained whether this DPIA relates to pre-GDPR processing or to planned processing and confirmed timelines in both cases; 
  2. Described why a DPIA was necessary, including the types of intended processing that made it a necessity;
  3. Clarified, organized, and logically structured the document;
  4. Using plain English and explaining technical terms and acronyms we have used, we wrote the DPIA with a non-specialist audience in mind. 
  5. Indicating the relationship between controllers, processors, data subjects, and systems, using both a text description and a data-flow diagram when appropriate;
  6. A clear explanation and presentation of any data flows between people, systems, organizations and countries has been made;
  7. We clearly outlined how we are adhering to all of the Data Protection Principles under GDPR, as well as our legal basis for the processing (and conditions applicable to special categories of data); 
  8. We outlined our approach to supporting the relevant rights of our data subjects.
  9. Assessed all relevant risks to individuals’ rights and freedoms, analyzed their likelihood and severity, and documented all appropriate mitigations;
  10. Provided a sufficient explanation of how any proposed mitigation reduces the identified risk;
  11. We gave reasons why we did not choose less risky alternatives to achieve the same purpose;
  12. Detailed stakeholder consultations (e.g., data subjects, representative bodies) with summaries of the findings;
  13. The DPIA was signed off by the appropriate people after recording the advice and recommendations of our DPO (where applicable);
  14. Set up a schedule for reviewing the DPIA regularly or when its nature, scope, context, or purposes change;
  15. The supervisory authority has been consulted if there are any residual high risks that cannot be mitigated.

We are here for you!

When you complete the form, you will:

Contact Sales

Learn what Data Privacy Office Europe can do for you.

Fill out the form and we will contact you as soon as possible!

Get an offer