When Is a Data Protection Impact Assessment (DPIA) Required? | DPO Consulting

As data privacy and protection regulations become paramount, the General Data Protection Regulation (GDPR) stands out as a significant policy governing personal data use. Within GDPR, one of the most essential elements of risk assessment is the Data Protection Impact Assessment (DPIA). This critical risk management tool is designed to help organisations systematically assess and prevent the potential risks of processing personal data. DPIAs are essential when data processing is likely to violate individuals' rights and freedoms.

Understanding when to conduct a DPIA is vital for organisations of all sizes to ensure compliance and protect both brand image and the privacy of the individuals whose data they process.

This comprehensive guide will explain when a DPIA is required and a few critical concepts related to DPIAs. It will also examine real-world examples, and outline the consequences of non-compliance with GDPR requirements.

TLDR: The General Rule

A DPIA is compulsory when an organisation processes personal data in ways that potentially result in a high risk to the rights and freedoms of data subjects. Activities such as large-scale processing of sensitive data, use of innovative technologies, or systematic monitoring of public spaces necessitate a data processing impact assessment. The primary goal is to identify and mitigate potential risks before they manifest.

Conducting a DPIA ensures that organisations comply with the GDPR and demonstrate full accountability for their actions. It allows organisations to identify risks early and take appropriate steps to address them before they harm individuals. Failure to carry out a DPIA, when a DPIA is required, could lead to substantial fines, legal penalties, and reputational damage.

Understanding the Terms

The GDPR states specific conditions that may warrant a DPIA. However, it's essential to understand the particular terminology before determining whether your project requires one.

‘High Risk’

When the GDPR refers to “high risk,” it refers to activities that could significantly impact individuals' rights and freedoms. This could mean anything from the invasion of privacy to the loss of sensitive information that results in financial or emotional harm to individuals.

For instance, an e-commerce platform that collects credit card information for millions of customers must analyse the risk of a potential data breach. If such a breach occurred, it could expose customers to financial fraud, which may be a high risk to their rights and freedoms.

The European Data Protection Board (EDPB) has issued “high risk” guidelines, helping organisations make more informed decisions. Sensitive data such as health records, genetic data, biometric data, or any processing that affects vulnerable populations like children or older people would typically meet the definition of “high risk.”

‘Likely to Result in a High Risk’

It’s important to understand exactly when a DPIA is required. It is required both when a high risk is guaranteed and when the processing is “likely to result in a high risk.” Even if your organisation doesn’t know that harm will occur, if the nature of the data processing can lead to severe consequences, you should carry out a DPIA.

Let’s take the example of a company planning to introduce a new facial recognition system for employees. Even if there is no history of issues with similar systems, the potential for security breaches means that processing could likely result in a high risk, triggering the need for a DPIA.

When Is a DPIA Required?

The GDPR lists several situations that typically require a DPIA risk assessment. As stated above, processing activities that involve new technologies, large-scale processing of sensitive data, systematic monitoring, and automated profiling are a few situations that mandate a DPIA. A DPIA is compulsory if two of the nine criteria listed by the EDPB are checked.

1. Evaluation or scoring: Data processing involving systematic assessment or profiling of individuals, particularly decisions that may significantly affect them (e.g., credit scoring).
2. Automated decision-making with legal or similar significant effects: Data processing involving automated decisions that produce legal effects or other significant impacts on individuals (e.g., job recruitment).
3. New Technology: If your organisation is introducing a new technology that processes personal data, such as AI-driven data collection, augmented reality, or facial recognition systems.
4. Large-Scale Processing: When data is processed on a larger scale, it significantly affects many individuals, such as tracking employees across multiple locations.
5. Sensitive Data or Data of a highly personal nature: Processing of specific categories of data, such as health, genetic, biometric, racial, or ethnic data, requires extra care.
6. Systematic Monitoring: Surveillance activities, such as monitoring customer behaviour online, CCTV in public areas, or tracking individuals through location data.
7. Matching or combining datasets: Data processing that merges or links datasets can raise concerns due to the generation of more detailed personal profiles.
8. Data concerning vulnerable individuals: Processing that affects vulnerable data subjects like children or the elderly.
9. Processing that prevents data subjects from exercising a right or using a service or a contract: This includes activities where processing restricts access to a service or contract, such as a bank screening customers against a credit reference database to determine loan eligibility.

What Are the Consequences of Not Conducting a DPIA When Required?

The failure to carry out a DPIA when required can have severe legal and financial repercussions. Under the GDPR risk assessment policies, organisations that do not comply with DPIA requirements can face administrative fines of up to €20 million or 4% of the organisation’s total worldwide annual revenue, whichever is higher.

Beyond financial penalties, organisations that fail to conduct a DPIA are at greater risk of data breaches, regulatory investigations, and lawsuits from data subjects. Non-compliance can also damage an organisation’s brand name and break customer, partner, and stakeholder trust.

Legal and Financial Penalties

The GDPR grants regulatory authorities, typically the supervisory authorities, the power to impose fines for failure to comply with its requirements. These fines can be substantial, particularly for small corporations, burdening them substantially. Additionally, damages may be caused by individuals whose data rights were violated.

For example, a major telecommunications company that failed to conduct a DPIA before implementing a new customer profiling system was fined €9 million after discovering that the system had led to discriminatory outcomes and unauthorised access to customer data.

Reputational Damage

Organisations that fail to protect personal data face regulatory fines and significant reputational damage. Data breaches, privacy violations, and mishandling of personal information can break customer trust, leading to a loss of business. 

In today’s privacy-conscious world, consumers are more aware of their data protection rights and expect organisations to take proactive measures to safeguard their information. When companies fail to meet these expectations, they lose competitive advantage.

Data Breaches

Data breaches are the most visible and damaging consequence of non-compliance with GDPR requirements. Organisations that fail to conduct a DPIA are more likely to experience security incidents that expose personal data to unauthorised parties.

For example, a retail company that neglected to perform a DPIA before launching a new mobile app was hit with a massive data theft that exposed customers’ payment information to hackers. The company faced hefty fines and had to deal with a spoiled reputation.

Are There Any Exemptions?

While there are virtually no exemptions to the DPIA, certain situations exist where an organisation may be granted one. These exemptions include cases where the data processing is authorised by law, when a similar procedure has already been conducted, or when the processing is deemed low-risk. 

Moreover, supervisory authorities might issue recommendations and guidelines applicable to their country that list processing activities that would automatically result in the drafting of a DPIA, and processing activities are automatically exempted from such drafting.

Processing Authorised by Law

One critical exemption to DPIA requirements is when data processing is mandated or authorised by law. For example, public authorities such as income tax authorities or the police that process personal data to fulfil legal obligations, such as collecting taxes or enforcing the law, may be exempted from conducting a DPIA.

However, it’s important to note that even when data processing is authorised by law, organisations must still ensure that it is processed per GDPR principles, including data minimization, transparency, and security.

Existing DPIA

Suppose an organisation has conducted a Data Protection Impact Assessment (DPIA) for a similar data processing activity. In that case, it may not need to perform a new DPIA for subsequent processing. For example, a healthcare provider that has already assessed the risks of processing patient health data for one service may not need to conduct a new DPIA if the same data is used in a similar context.

However, organisations should regularly monitor and update their DPIAs to ensure that they remain relevant and that any new risks or changes in data processing are adequately accounted for.

Low-Risk Processing

Data processing activities may sometimes be deemed low-risk, meaning a DPIA is not required. For example, if an organisation checks 2 of the 9 criteria but can demonstrate that the data processing does not result in high-risk outcomes—it may be exempted from performing a DPIA.

However, this determination should be made carefully, and organisations should consult with their Data Protection Officer (DPO) or legal advisors to ensure they are not overlooking potential risks.

Examples of Exemptions

Consider the following example. A public authority processes personal data to distribute social welfare benefits. If citizens’ data processing is authorised by national law and follows structured guidelines for protecting data subjects’ privacy, the organisation may be exempted from conducting a DPIA.

Similarly, a small company that processes employee data solely for payroll purposes, where the data is limited to essential information like names, job titles, and bank details, may be able to demonstrate that the processing is low-risk and does not require a DPIA.

How DPO Consulting Can Help You Stay Compliant

A Data Protection Impact Assessment (DPIA) is an essential tool for organisations that process personal data. It helps to identify and mitigate potential risks to individuals' privacy and security. Whether your organisation is using new technologies, processing sensitive data on a large scale, or conducting systematic monitoring, conducting a DPIA is often a legal requirement under the GDPR.

Failing to carry out a DPIA when necessary can lead to significant legal and financial penalties and damage to your organisation’s reputation.

DPO Consulting specialises in helping businesses overcome the obstacles of data protection and DPIA requirements, offering expert advice and tailored solutions to minimise risks and ensure compliance.

Their services include:

• Comprehensive DPIA Support: Comprehensive DPIA Support: DPO Consulting assesses whether and when a DPIA is required and provides full support by drafting and conducting in-depth risk assessments for your data processing activities.
• Data Protection Officer (DPO) Support: Their experienced DPOs work with your organisation to implement best practices for data protection and ensure that DPIA will be conducted.
• Training and Education: DPO consulting also offers training programs to help your staff understand their responsibilities under GDPR and ensure they can effectively manage data protection risks.
• Ongoing Compliance Monitoring: The company provides ongoing support to help your organisation comply with DPIA and other data protection regulations as your business evolves.

Get in touch with DPO Consulting to focus on your core business while they help you navigate the complexities of data protection.

Our other solutions

GDPR and Compliance

• GDPR Software (myDPO)
• GDPR Compliance Audits
• Privacy Impact Assessments (PIA)
• Clinical Trial Compliance

Outsourced DPO & Representation

• Outsourced DPO
• International DPO
• EU Representative
• UK Representative
• US Privacy Services

Training & Support

• Customized DPO Coaching
• GDPR Training