"DPIAs are a useful way for data controllers to implement data processing systems that comply with
the GDPR and can be mandatory for some types of processings. They are scalable and can take
different forms, but the GDPR sets out the basic requirements of an effective DPIA. Data controllers
should see the carrying out of a DPIA as a useful and positive activity that aids legal compliance.
Article 24(1) sets out the basic responsibility of the controller in terms of complying with the GDPR:
“taking into account the nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons, the controller shall
implement appropriate technical and organisational measures to ensure and to be able to demonstrate
that processing is performed in accordance with this Regulation. Those measures shall be reviewed
and updated where necessary”.
The DPIA is a key part of complying with the Regulation where high risk data processing is planned
or is taking place. This means that data controllers should use the criteria set out in this document to
determine whether or not a DPIA has to be carried out. Internal data controller policy could extend this
list beyond the GDPR’s legal requirements.
This should result in greater trust and confidence of data
subjects and other data controllers.
Where a likely high risk processing is planned, the data controller must:
- choose a DPIA methodology (examples given in Annex 1) that satisfies the criteria in Annex
2, or specify and implement a systematic DPIA process that:
o is compliant with the criteria in Annex 2;
o is integrated into existing design, development, change, risk and operational review
processes in accordance with internal processes, context and culture;
o involves the appropriate interested parties and define their responsibilities clearly
(controller, DPO, data subjects or their representatives, business, technical services,
processors, information security officer, etc.);
- provide the DPIA report to the competent supervisory authority when required to do so;
- consult the supervisory authority when they have failed to determine sufficient measures to
mitigate the high risks;
- periodically review the DPIA and the processing it assesses, at least when there is a change of
the risk posed by processing the operation;
- document the decisions taken.