Senior Content Marketing Manager
July 6, 2023•7 min read
Data protection impact assessments (DPIA) help organizations identify and address the risks involved in certain data processing activities. A byproduct of the General Data Protection Regulation (GDPR), GDPR Article 35 outlines when a data protection impact assessment is necessary and what businesses need to include.
In broad strokes, data protection assessments are required when a business is engaging in risky data processing activities like profiling that affects how a consumer is treated, collecting and processing sensitive personal information, and large-scale surveillance of a public area. We’ll cover this in greater detail below.
A complete DPIA should include details on the proposed data processing, why the data is being processed, evaluation on whether the processing is necessary and proportionate, and proposed measures to ensure the safety and security of consumers’ personal data.
DPIA are also required under several state privacy laws, including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the California Consumer Rights Act, and more.
The terms data protection impact assessment (DPIA) and privacy impact assessment (PIA) are often used interchangeably. And though they have similar goals—identifying and mitigating data processing and privacy risks—they also have different backgrounds and requirements.
Here’s a few top-level differences between DPIA and PIA.
GDPR Article 35 outlines when and how a business should conduct a data protection impact assessment—stating that a DPIA is required when data processing is:
“Likely to result in a high risk to the rights and freedoms of natural persons.”
DPIA are also required when certain types of data processing is occurring on a “large-scale.” We cover how companies can evaluate whether processing is “high-risk” or “large-scale” in the next section.
Part of the GDPR’s ‘data protection by design and default’ principle, companies must conduct a DPIA before beginning a project that involves any kind of risky data processing.
Remember, data protection by design means companies need to consider consumer data protection at every stage when building new products or launching new services. Privacy should be built into the product, rather than tacked on as a hasty afterthought.
Data protection impact assessments should give your company guardrails for building in-line with the ‘data protection by design’ principle—helping reveal any potential risks to the consumer upfront.
That’s why DPIAs are strongly recommended before product development starts—and are explicitly required before potentially risky data processing begins. GDPR Article 35 outlines several data processing activities that can be considered risky, including:
To offer more clarity on these guidelines, the European Commissioner's office has offered a few concrete examples as to what risky data processing might look like in practice.
We now know that GDPR Article 35 requires a data protection impact assessment when data processing presents a “high risk” to consumers or is happening at a “large-scale.”
But GDPR doesn’t offer context on what “high risk” or “large scale” means in practical terms—creating ambiguity and confusion for privacy professionals looking to stand up a DPIA initiative.
This in mind, savvy program managers will work to create an internal framework for defining these terms. That way, in the event of an audit or potential enforcement action, your company can demonstrate a well-documented good faith effort.
Luckily, regional regulators in the UK, Netherlands, Germany, Estonia, and the Czech Republic have offered businesses further insight into how they approach “large-scale” and “high-risk” data processing.
The UK Information Commissioner's Office (ICO) states that the “UK GDPR does not contain a definition of large-scale processing,” but that organizations should consider:
They also offer a few examples of what large-scale processing might look like:
Though ICO doesn’t offer discrete thresholds, it does outline several red flags that could indicate a higher level of risk, including:
Offering guidance on the healthcare sector specifically, the Netherlands data protection authority views data processing as large-scale if it’s conducted by:
The German Federal Data Protection Commission offers a detailed guide, but generally considers a data processing operation to be large-scale if it covers:
In a LinkedIn post, Estonia’s data protection commissioner outlined how his agency approaches large-scale data processing, offering the following thresholds for when data processing triggers a DPIA.
The Czech Republic’s data protection authority has stated that data processing is considered large-scale when it:
Under GDPR Article 35, a data protection impact assessment must contain:
The UK Information Commissioner's Office offers a detailed DPIA checklist, encouraging businesses to include, among other things:
We highly recommend you read the full ICO Data Protection Impact Assessment guide.
At the time of this writing, 11 US states have comprehensive privacy laws. Several, though not all, of those laws require data protection impact assessments, including:
The threshold for when a data protection assessment is required differs slightly between each state, so be sure to review the relevant text when considering whether your organization should conduct a DPIA.
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.
Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.
Senior Content Marketing Manager