Data Protection Impact Assessment (DPIA)

Definition

A Data Protection Impact Assessment (DPIA) is a mandatory risk assessment process under GDPR Article 35 that must be conducted before processing personal data in ways likely to result in high risk to individuals' rights and freedoms. DPIAs extend beyond general PIAs by requiring specific GDPR compliance analysis, supervisory authority consultation mechanisms, and documented accountability measures.

How It Works

DPIA triggers include systematic profiling with legal effects, large-scale processing of special categories, and systematic monitoring of public areas. The assessment documents the nature, scope, context, and purposes of processing. It evaluates necessity and proportionality against the stated purpose, identifies risks to data subjects (discrimination, financial loss, reputational damage, loss of control), and describes measures to address those risks. Technical measures might include pseudonymization, encryption, and access controls. Organizational measures include staff training, data processing agreements, and breach response procedures. If residual risk remains high after mitigations, the controller must consult the supervisory authority under Article 36 before proceeding. DPIAs are living documents that must be reviewed when processing operations change.

Why It Matters

Supervisory authorities have issued significant fines for failure to conduct required DPIAs. The French CNIL fined a company 400,000 euros partly for missing DPIAs on employee monitoring systems. DPIAs are a cornerstone of GDPR's accountability principle -- they demonstrate that organizations have proactively considered and addressed privacy risks rather than simply reacting to incidents. The European Data Protection Board's guidelines establish criteria that make DPIAs mandatory for most modern data processing activities involving personal data at scale.