Guidelines on Data Protection Impact Assessment (DPIA)

Date: 27th November 2017 - 12:58 pm

Regulation 2016/6791 (GDPR) will apply from 25 May 2018. Article 35 of the GDPR introduces the concept of a Data Protection Impact Assessment (DPIA), as well as Directive 2016/6802.
A DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data3 (by assessing them and determining the measures to address them). DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation (see also article 24)4. In other words, a DPIA is a process for building and demonstrating compliance.
Under the GDPR, non-compliance with DPIA requirements can lead to fines imposed by the competent supervisory authority. Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the competent supervisory authority where required (Article 36(3)(e)), can each result in an administrative fine of up to 10M€, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The following figure illustrates the generic iterative process for carrying out a DPIA24:

Privacy Consulting

Organizational Model of Management and Control of Privacy

Having a Society of Consulting support is for the company the ability to achieve and maintain legal compliance and being joined in any type of inspection and monitoring by professionals able to respond efficiently and find the required documentation.

Guidelines on Data Protection Impact Assessment (DPIA)