GDPR DPIA – Data Privacy Impact Assessment

Before processing personal data, you, as the controller, should check whether or not the processing poses a significant risk to the freedoms and rights of the data subjects. GDPR calls this procedure Data Privacy Impact Assessment or GDPR DPIA. This procedure is key in understanding any processing risks and the way in which they can be managed.

Most SMEs may not be required to conduct an impact assessment. Please visit the site of your national data protection authority to find out what the requirements are.

If your processing is not on your authorities list, you must still check whether your intended processing relates to any of the below activities as if it does a DPIA must still be carried out.

  • An assessment of personal aspects such as profiling, followed by a decision about the natural person involved;
  • A large-scale processing of special categories of personal data as referred to in Article 9 or 10 of the GDPR;
  • Systematic and large-scale monitoring of publicly accessible spaces.

As an example we add below the list of processing operations for which the Belgian authority (GBA) requires an impact assessment.

    • where the processing uses biometric data for the purpose of uniquely identifying data subjects who are in a public place or in private areas accessible to the public;
    • when personal data is collected from third parties in order to subsequently be taken into account in the decision to refuse or terminate a specific service agreement with a natural person;
    • when health data of a data subject is collected automatically by means of an active implantable medical facility;
    • when data is collected on a large scale from third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movements of natural persons;
    • when special categories of personal data within the meaning of Article 9 of the GDPR or data of a very personal nature (such as data on poverty, unemployment, involvement of youth care or social work, data on household and private activities, location data) systematically exchanged between multiple controllers;
    • when there is a large-scale processing of data generated by devices with sensors that transmit data via the internet or via another medium (‘internet of things’ applications, such as smart televisions, smart household appliances, connected toys, smart cities, smart energy meters, etc.) and this processing serves to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movements of natural persons;
    • when there is a large-scale and / or systematic processing of telephony, internet or other communication data, metadata or location data from or traceable to natural persons (for example, WiFi tracking or processing of location data of travellers in public transport) when the processing is not strictly necessary for a service requested by the data subject;
    • where there is large-scale processing of personal data whereby the behaviour of natural persons is systematically observed, collected, recorded or influenced by automated processing, including for advertising purposes.

Therefore, if you carry out processing operations that appear on the list, you are obliged to perform a DPIA before the start of your processing. The outcome of which may also lead to the conclusion that a prior consultation of your national authority is necessary.

Not all processing operations for which a prior DPIA is performed require prior advice from the data protection authority. You are required to consult your national authority before starting your processing if your DPIA reveals a high residual risk. Such risk exists when it persists despite the measures you have taken or will take to mitigate the risk. For more information do consult the website of your national authority.