A data protection impact assessment (DPIA) is a process designed to help organisations determine how data processing systems, procedures or technologies affect individuals' privacy and eliminate any risks that might violate compliance. Conducting data protection impact assessments is a key requirement under the European Union's General Data Protection Regulation (GDPR), enacted in May 2018, that introduced a mandate for companies to perform DPIAs before carrying out types of data processing resulting in high risks to individuals' rights and freedoms.
The EU’s General Data Protection Regulation (GDPR) includes dozens of new rules (and many old ones) that organizations must follow in order to protect the personal information they collect about their clients or people who visit their websites. Organizations that fail to comply with the GDPR are risking severe penalties, including fines of up to $20 million or 4 percent of annual revenue, whichever is higher.
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
While this passage makes it clear that a DPIA is required by law under certain conditions, it is unhelpfully light on specifics. To help clarify the situation, here are some concrete examples of the types of conditions that would require a DPIA:
In other cases, where the high-risk standard is not met, it may still be prudent to conduct a DPIA to minimize your liability and ensure best practices for data security and privacy are being followed in your organization. Remember, most data breaches trigger certain regulatory requirements.
One of the most important ways to demonstrate to authorities that your organization complies with the GDPR is to prepare a DPIA for each of your high-risk data processing activities.
Sources:
techtarget.com (Definition)
GDPR.EU