The DPIA process aims at providing assurance that controllers adequately address privacy and data protection risks of ‘risky’ processing operations. By providing a structured way of thinking about the risks to data subjects and how to mitigate them, DPIAs help organisations to comply with the requirement of ‘data protection by design’ where it is needed the most, i.e. for ‘risky’ processing operations.
A DPIA is in particular required for:
The European Data Protection Supervisor has established a template allowing controllers to assess whether they have to do a DPIA [annex 6 to Part I of the accountability toolkit]. In addition, the EDPS has established an open list of processing operations subject to the requirement for a DPIA. Listed on there are usual processing operations that will require DPIAs, saving controllers time:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 10, or of personal data relating to criminal convictions and offences referred to in Article 11; or
(c) a systematic monitoring of a publicly accessible area on a large scale.
The assessment shall contain at least:
Where necessary, the controller shall carry out a review to assess if the data processing is being performed in accordance with the data protection impact assessment, at least when there is a change of the risk represented by processing operations.
If following the DPIA, controllers are not sure whether risks are appropriately mitigated, they should proceed to a prior consultation under Article 40.