Under Article 35(1) of the GDPR companies and organisations are required to conduct a Data Protection Impact Assessment where their processing activities are likely to result in high risk to the rights and freedoms of data subjects. The DPIA should be done BEFORE processing begins, in line with the principles of data processing by design and default. The DPIA should be conducted by the “Controller” as the person/organisation who decides the purpose for which the data is used.
There terms “likely to result” nor “high risk” are not specifically defined within the regulation so it remains up to the controller to consider processing activities by assessing the probability of harm to individuals and the severity of any potential harm that could be caused as a result.
Article 35(3) contains three concrete examples of types of processing that always require a DPIA to be undertaken:
1. Systematic and extensive profiling with significant effects (a legal effect or similar).
2. Large scale use of sensitive data (the special categories of data listed in Article 9(1)) or personal data on criminal offences and convictions.
3. Public monitoring - which refers to large scale, systematic monitoring of publicly accessible data.
(Note that ‘systematic’ and ‘extensive’ and ‘large scale’ are not defined categorically in the regulation.)
Additionally, it provides information as to the kind of processing that is likely to need a DPIA such as:
The implementation of new technology;
Processing that involved automated decision-making e.g evaluation or scoring;
The processing bio-metric or genetic data;
Data matching i.e combining data sets from different third parties sources;
Invisible processing - processing of data that was not acquired directly from the data subject but obtained through list brokering, for instance;
Tracking of individuals' behaviour or movements or interactions with devices;
Processing the data of children or vulnerable people for marketing purposes of profiling;
Processing that involves risk of emotional, financial or reputational damage;
Processing that prevents an individual from using a service or exercising a right.
As always, there are exceptions to the rule. An organisation does not have to carry out a DPIA, for example, if it is processing data due to legal obligation or as part of a public task.
DPIA templates can be found on the website of some Supervisory Authorities of member states although it is not compulsory to use them; there is no specific format that a DPIA has to take.