What is a DPIA? Do I need to do one?

The abbreviation DPIA refers to the Data Protection Impact Assessment.

How to identify processing operations subject to a DPIA

According to the European Data Protection Board (EDPB), the drafting of a DPIA is mandatory when 2 criteria from the list below are met.

Conversely, an impact assessment is not required for certain types of operations, notably:

  • the processing involves the collection of personal data on a large scale;
  • the processing involves combining data;
  • the processing involves systematic monitoring;
  • the processing involves an evaluation (scoring, profiling);
  • the processing is based on automated decision-making;
  • the processing involves the collection of sensitive data or highly personal data (bank card number…);
  • the processing involves the collection of data from vulnerable persons;
  • the processing involves the use of innovative technology;
  • the processing has the effect of excluding the benefit of a right or contract (blacklists…).

Processing not subject to a DPIA

  • processing carried out for human resources purposes;
  • processing carried out by lawyers in the exercise of their profession on an individual basis;
  • processing for supplier relationship management.

Methodology

There are 4 main steps: study of the context, study of the fundamental principles attached to data processing, study of the risks generated by the processing and validation of the analysis.

The latter is formalized by positioning the risks in relation to each other, i.e. before and after the application of additional measures.