Data protection impact assessment (DPIA)

What is a Data Protection Impact Assessment (DPIA)

DPIA (Data Protection Impact Assessment) - data protection impact assessment is a process of assessing the way personal data is processed by an organization and its impact on the privacy protection and rights of individuals whose data is processed. DPIA is a tool used under the GDPR to identify, understand and minimize the risks associated with data processing, especially in cases where the processed data may lead to a high risk to the rights of persons whose data is processed.

When to conduct an impact assessment (DPIA)

It is the supervisory authority that establishes and makes public a list of the types of processing operations subject to the requirement to carry out a data protection impact assessment (DPIA). The determinant whether an impact assessment should be carried out is the Announcement of the President of the Personal Data Protection Office - Art. 54 section 1 point 1 in connection with Art. 172 of the Act of 10 May 2018 on the protection of personal data. The complete list of cases and situations requiring impact assessment is an annex to the Announcement of the President of the Personal Data Protection Office.

A data protection impact assessment (DPIA) should be carried out if the activities of an organization or entity may result in a high risk of violating the rights and freedoms of natural persons (in particular when using new technologies).

Examples of activities indicated by the President of the Personal Data Protection Office that require a data protection impact assessment:

  • evaluation or assessment, including profiling and prediction (behavioral analysis) for purposes that cause negative legal, physical, financial or other inconvenience to natural persons (e.g. creditworthiness assessment),
  • automated decision-making causing legal, financial or similar significant effects, systematic large-scale monitoring of publicly accessible places using elements of recognizing features or properties of objects that will be in the monitored space,
  • processing of special categories of personal data relating to convictions and prohibited acts (sensitive data according to the opinion of WP 29),
  • processing of biometric data solely for the purpose of identifying a natural person or for access control purposes,
  • genetic data processing,
  • data processed on a large scale, where the concept of large scale refers to: • the number of people whose data is processed, • the scope of processing, • the period of data storage and • the geographical scope of processing,
  • making comparisons, assessing or drawing conclusions based on the analysis of data obtained from various sources,
    processing of data regarding persons whose assessment and services provided to them depend on entities or persons who have supervisory and/or assessment powers,
  • innovative use or application of technological or organizational solutions,
  • where the processing itself prevents data subjects from exercising a right or using a service or contract,
  • processing of location data.

The role of the GDPR Risk Tracker in impact assessment (DPIA)

In the case of the GDPR Risk Tracker application, a data protection impact assessment (DPIA) is an integral part of the risk analysis and allows you to verify the correctness of how personal data is processed in compliance with the GDPR. GDPR Risk Tracker, as a comprehensive risk analysis tool, guides the user through the entire process of creating his or her analysis or analyzes for specific processes taking place in the organization that the user represents. Thanks to a partial approach to the problem of personal data protection, entities using our application receive a full product to check the correctness of their activities and their compliance with the broadly understood GDPR.