When Must You Complete a Data Protection Impact Assessment?


Data protection impact assessments (DPIAs) are a legal requirement for GDPR, to ensure people’s private and sensitive data remains secure and isn’t misused. In this article, our security experts explain when you should conduct a DPIA and the benefits to you of doing so.

When might a data protection impact assessment be used? DPIAs are needed before any type of risky processing is started. As found in Article 35(1) “you must do a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals.” DPIAs are needed when processing personal and private data. 

Read on to find out more about when you must complete a data protection impact assessment, when you don’t need to complete one, and how they can benefit your business.

When might a data protection impact assessment be used?

DPIAs are needed before any type of risky processing is started. To quote Article 35(1) “you must do a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals.”

According to Article 35; some situations are outlined in which a DPIA is mandatory. Such as when processing a large scale of special categories of data, or any personal data relating to criminal convictions. Another situation is when processing is based on automated decision-making including profiling. The last case outlined in Article 35 is when there is systematic monitoring of a publicly accessible area on a large scale.

To find out more about when you should conduct a DPIA, read our recent blog post, where we discuss which triggers should result in an assessment. 

When is a DPIA Not Required?

A DPIA is generally not required in the following cases:

  • Where the processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).
  • When the nature, scope, context and purposes of the processing are very similar to the processing for which DPIAs have been carried out. In such cases, the results of a DPIA for similar processing can be used (Article 35(1)).
  • Where a processing operation has a legal basis in EU or Member State law and has stated that an initial DPIA does not have to be carried out, where the law regulates the specific processing operation and where a DPIA, according to the standards of the GDPR, has already been carried out as part of the establishment of that legal basis (Article 35(10)).
  • Where the processing is included on the optional list (established by the supervisory authority) of processing operations for which no DPIA is required (Article 35(5)).

What is a Data Protection Impact Assessment? 

The DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. When a DPIA is properly done, it assesses and demonstrates how compliant you are to your data protection obligations.

DPIAs do not only consider compliance risks but also wider risks to the rights and freedoms of the data subjects which include the possibility of any substantial social or economic disadvantage. The emphasis is on the potential for harm – to individuals or society at large, whether it is physical, material or non-material.

What Are the Benefits of a DPIA?

A DPIA effectively done, brings broader compliance, financial and reputational benefits, helping the demonstration of accountability and building trust and engagement with individuals.

Some of the benefits of conducting a DPIA are as follows:

  • Certifying and proving that your organisation is compliant with the GDPR thereby avoiding the penalties and sanctions that are attached to non-compliance
  • By improving communications about data protection issues it inspires confidence in the public
  • Your users are not at risk of having their data protection rights violated
  • Enables organisations to embed data protection by design (Data protection by design means embedding data privacy features and data privacy-enhancing technologies directly into the design of projects at an early stage)
  • By optimising information flows within a project and eliminating unnecessary data collection and processing, it reduces operating costs.

Information Security Assessments with Risk Crew

Improve awareness within your organisation and protect sensitive information with Risk Crew. Our Information Security Threat & Risk Assessment service allows you to make informed decisions about risk-based decisions and security budget allocations. Without this service, your risk approach will be ad hoc and driven by external influences.

To find out more about our risk assessment service, or if you have any questions, get in touch with our team of security professionals, who will be happy to help. 


If we already carry out Privacy Impact Assessments, do we still need to carry out the DPIA?

The two processes are similar however a review will need to be on your internal policies, processes and procedures to ensure they meet the key requirements of the DPIA under GDPR. Specific subject matter such as ensuring your screening questions comply with the new requirements.

Is a DPIA mandatory for existing processing operations, existing before the GDPR becomes effective on the 25th May 2018?

DPIAs are legally mandatory only for processing operations that are initiated after 25 May 2018, when the GDPR became effective. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations before this date

Do you have a specific question not addressed in this blog post? Contact one of our DPA and GDPR experts and we’ll be happy to answer. For more data protection tips, check out our article on ‘Data Protection Tips for the New Working Environment’.

Risk Crew