Data Protection Impact Assessments + GDPR Article 35

At a glance

• Data Protection Impact Assessments (DPIA) help organizations identify and address the risks involved in certain data processing activities.
• A complete DPIA should include details on the proposed processing, why the data is being processed, an evaluation on whether the processing is necessary, and proposed measures to ensure the security of consumers’ personal data.
• DPIA are also required under many state privacy laws, including the Virginia Consumer Data Protection Act, Colorado Privacy Act, and the California Consumer Rights Act. 

Table of contents

• What is a data protection impact assessment (DPIA)?
• DPIA vs PIA
• When to conduct a data protection impact assessment
• Defining “large-scale” or “high-risk” data processing
• What to include in your DPIA
• What states require data protection impact assessments?

What is a data protection impact assessment (DPIA)?

Data protection impact assessments (DPIA) help organizations identify and address the risks involved in certain data processing activities. A byproduct of the General Data Protection Regulation (GDPR), GDPR Article 35 outlines when a data protection impact assessment is necessary and what businesses need to include. 

In broad strokes, data protection assessments are required when a business is engaging in risky data processing activities like profiling that affects how a consumer is treated, collecting and processing sensitive personal information, and large-scale surveillance of a public area. We’ll cover this in greater detail below.

A complete DPIA should include details on the proposed data processing, why the data is being processed, evaluation on whether the processing is necessary and proportionate, and proposed measures to ensure the safety and security of consumers’ personal data.

DPIA are also required under several state privacy laws, including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the California Consumer Rights Act, and more. 

DPIA vs PIA

The terms data protection impact assessment (DPIA) and privacy impact assessment (PIA) are often used interchangeably. And though they have similar goals—identifying and mitigating data processing and privacy risks—they also have different backgrounds and requirements. 

Here’s a few top-level differences between DPIA and PIA.

Privacy impact assessments are…

• Required by the E-Government Act
• Used by Federal agencies under the scope of the E-Government Act
• Meant to identify privacy requirements for new products and projects
• A way for your company to evaluate data security, processing risk, and compliance with current privacy laws

Data protection impact assessments are…

• Required under GDPR Article 35
• Required when a company is engaged in risky data processing
• Required under several US state privacy laws (CPRA, VCDPA, CPA, CTDPA, and more)
• Intended to identify and minimize risky data processing
• A way for companies to evaluate compliance with relevant privacy laws

When to conduct a data protection impact assessment

GDPR Article 35 outlines when and how a business should conduct a data protection impact assessment—stating that a DPIA is required when data processing is: 

DPIA are also required when certain types of data processing is occurring on a “large-scale.” We cover how companies can evaluate whether processing is “high-risk” or “large-scale” in the next section.

Part of the GDPR’s ‘data protection by design and default’ principle, companies must conduct a DPIA before beginning a project that involves any kind of risky data processing. 

Remember, data protection by design means companies need to consider consumer data protection at every stage when building new products or launching new services. Privacy should be built into the product, rather than tacked on as a hasty afterthought. 

Data protection impact assessments should give your company guardrails for building in-line with the ‘data protection by design’ principle—helping reveal any potential risks to the consumer upfront.

That’s why DPIAs are strongly recommended before product development starts—and are explicitly required before potentially risky data processing begins. GDPR Article 35 outlines several data processing activities that can be considered risky, including: 

• Automated profiling 
• Collecting biometric data (including facial recognition)
• Public surveillance
• Large-scale processing of personal information 
• Processing sensitive personal information

To offer more clarity on these guidelines, the European Commissioner's office has offered a few concrete examples as to what risky data processing might look like in practice. 

• Banks or financial institutions screening customers as part of a credit check
• Biotechnology companies processing consumer genetic data to predict health risks or other diseases
• Profiling consumers based on website use and behavior
• Automated profiling that leads to discrimination or exclusion
• “Systematic monitoring” of a public area
• Private investigators retaining personal information about an offender
• Hospitals keeping patient medical records

How do you define “large-scale” or “high-risk” data processing?

We now know that GDPR Article 35 requires a data protection impact assessment when data processing presents a “high risk” to consumers or is happening at a “large-scale.”

But GDPR doesn’t offer context on what “high risk” or “large scale” means in practical terms—creating ambiguity and confusion for privacy professionals looking to stand up a DPIA initiative.

This in mind, savvy program managers will work to create an internal framework for defining these terms. That way, in the event of an audit or potential enforcement action, your company can demonstrate a well-documented good faith effort.

Luckily, regional regulators in the UK, Netherlands, Germany, Estonia, and the Czech Republic have offered businesses further insight into how they approach “large-scale” and “high-risk” data processing. 

United Kingdom

The UK Information Commissioner's Office (ICO) states that the “UK GDPR does not contain a definition of large-scale processing,” but that organizations should consider:

• How many consumers are involved
• The volume and variety of data being processed
• How long the processing will last
• “The geographical extent of the processing”

They also offer a few examples of what large-scale processing might look like:

• Tracking individuals as they use public transport
• Tracking a customer's real-time location
• Processing financial or insurance data
• Processing data for behavioral advertising
• Hospitals processing patient data

Though ICO doesn’t offer discrete thresholds, it does outline several red flags that could indicate a higher level of risk, including: 

• Profiling consumers or using automated decision-making in a way that affects their experience of your product or service
• Deploying technologies like machine learning and artificial intelligence
• Using biometric devices at scale
• Collecting or processing sensitive personal information
• Engaging in widespread monitoring or surveillance

Netherlands

Offering guidance on the healthcare sector specifically, the Netherlands data protection authority views data processing as large-scale if it’s conducted by: 

• Pharmacies, hospitals, and care groups 
• Solo practitioners that have registered or treated over 10,000 patients 

Germany

The German Federal Data Protection Commission offers a detailed guide, but generally considers a data processing operation to be large-scale if it covers:

• Over 5 million people or 
• Over 40% of the population

Estonia

In a LinkedIn post, Estonia’s data protection commissioner outlined how his agency approaches large-scale data processing, offering the following thresholds for when data processing triggers a DPIA.

• 5,000 people for processing sensitive personal data
• 10,000 people for processing data related to financial services, communications data, location data, and automated profiling
• 50,000 people for any other form of data processing

Czech Republic

The Czech Republic’s data protection authority has stated that data processing is considered large-scale when it: 

• Covers 10,000 or more data subjects 
• Is managed by over 20 company branches or 20 employees

What to include in your DPIA

Under GDPR Article 35, a data protection impact assessment must contain: 

• A clear description of the proposed data processing
• Purposes of processing, including details on which legitimate interest your organization intends to pursue
• Analysis on why the data processing is necessary and whether it’s proportionate to the task at hand
• Analysis of how the processing may affect a consumer's rights and freedoms
• Proposed steps to safeguard personal data and mitigate potential risks

The UK Information Commissioner's Office offers a detailed DPIA checklist, encouraging businesses to include, among other things: 

• Explanation of why a DPIA was conducted
• Details on the relationships between the data collectors, processors, systems, and consumers (including diagrams where applicable)
• Details on how the data is flowing between each of those groups
• A plan on how the company plans to fulfill consumers’ data rights
• Risks to the consumers and how those risks will be mitigated
• Documented consideration of other, less risky processing approaches
• Schedule for regularly reviewing the DPIA

We highly recommend you read the full ICO Data Protection Impact Assessment guide.

What states require data protection impact assessments?

At the time of this writing, 11 US states have comprehensive privacy laws. Several, though not all, of those laws require data protection impact assessments, including: 

• Virginia Consumer Data Protection Act (VCDPA) - effective January 1, 2023
• California Privacy Rights Act (CPRA) - effective January 1, 2023
• Colorado Privacy Act (CPA) - effective July 1, 2023
• Connecticut Data Privacy Act (CDPA) - effective July 1, 2023
• Montana Consumer Data Protection Act (MCDPA) - effective October 1, 2024
• Texas Data Privacy and Security Act (TDPSA) - effective July 1, 2024
• Delaware Personal Data Privacy Act (DPDPA) - effective January 1, 2025
• Tennessee Information Protection Act (TIPA) - effective July 1, 2025
• Indiana Consumer Data Protection Act (ICDPA) - effective January 1, 2026

The threshold for when a data protection assessment is required differs slightly between each state, so be sure to review the relevant text when considering whether your organization should conduct a DPIA.

About Transcend

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

References

• ICO - Data protection impact assessments
• When is a Data Protection Impact Assessment (DPIA) required?
• Guidelines on Data Protection Impact Assessment (DPIA)
• GDPR Article 35
• When do we need to do a DPIA?
• US State Privacy Legislation Tracker
• On large-scale data processing and GDPR compliance
• GDPR's Most Frequently Asked Questions: What does "Large Scale" mean when determining whether a data protection officer is necessary?