¶ The Data Protection Impact Assessment (DPIA)
The DPIA is a self-assessment tool in SENTINEL, which helps determine how data processing systems, procedures or technologies affect individuals' privacy and eliminate any risks that might violate compliance for a processing activity.
¶ Context
¶ What is the purpose of a DPIA?
The purpose of a DPIA is to assess the potential impact of a data processing activity on individuals' privacy rights and to identify measures that can be taken to mitigate or eliminate any potential risks. It's particularly important for processing activities that are likely to result in high risks to individuals' rights and freedoms, such as processing sensitive personal data or engaging in large-scale data processing.
¶ When is a DPIA required?
A DPIA is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA is required at least in the following cases:
- a systematic and extensive evaluation of the personal aspects of an individual, including profiling;
- processing of sensitive data on a large scale;
- systematic monitoring of public areas on a large scale.
The DPIA should be conducted before the processing and should be considered as a living tool, not merely as a one-off exercise. Where there are residual risks that can’t be mitigated by the measures put in place, the Data Protection Authority (DPA) must be consulted prior to the start of the processing.
¶ DPIA results
The results may be interpreted as following:
High: High risk signifies that the activity or process being assessed poses a significant threat to individuals' rights and freedoms or to the organisation itself. It typically implies that there is a substantial likelihood of severe harm or adverse consequences if risks are not adequately addressed. High-risk processing activities may involve sensitive personal data, large-scale data processing, or processing activities with a high potential for data breaches or misuse. Organisations should prioritise mitigating high-risk scenarios and implementing robust risk reduction measures.
Medium: Medium risk suggests that the activity or process has the potential to cause harm or adverse consequences, but the likelihood or severity of these consequences is not as significant as in high-risk scenarios. Medium-risk situations may require measures to mitigate the identified risks, but these measures may not need to be as extensive or urgent as those for high-risk situations. Medium-risk processing activities may involve personal data that is not highly sensitive or situations where the potential impact on individuals is moderate.
Low: Low risk indicates that the activity or process is unlikely to result in significant harm or adverse consequences to individuals' rights and freedoms or the organisation. Low-risk scenarios may still require some risk management measures, but these are typically less extensive and urgent than for high or medium risk situations. In the context of data protection, low-risk processing activities may involve non-sensitive personal data or activities with minimal potential for harm.
¶ Procedure for the PA-specific DPIA:
- Click "Data Protection" > "Processing Activities" tab in the Main Menu
- From the Processing Activity screen, click on the “DPIA” button or
- Confirm your choice by clicking on the “Ok” button
- Consult the results by clicking on the “Show results” button
- At any time, you can consult results of previous assessments by selecting a specific PA and clicking on the “View” button. You can also request a new assessment by clicking on the “New DPIA” link below the results displayed.
¶ Prerequisites
For a DPIA to be executed on a specific PA you are required to have provided the necessary information in the relevant step when creating or editing this PA.
Previous topic:GDPR Compliance assessment
Next topic:CSRA