When do you need to conduct a DPIA?

February 22, 2021

Under Article 35(1) of the GDPR companies and organisations are required to conduct a Data Protection Impact Assessment where their processing activities are likely to result in high risk to the rights and freedoms of data subjects. The DPIA should be done BEFORE processing begins, in line with the principles of data processing by design and default. The DPIA should be conducted by the “Controller” as the person/organisation who decides the purpose for which the data is used.

There terms “likely to result” nor “high risk” are not specifically defined within the regulation so it remains up to the controller to consider processing activities by assessing the probability of harm to individuals and the severity of any potential harm that could be caused as a result.  

Article 35(3) contains three concrete examples of types of processing that always require a DPIA to be undertaken:
1. Systematic and extensive profiling with significant effects (a legal effect or similar).
2. Large scale use of sensitive data (the special categories of data listed in Article 9(1)) or personal data on criminal offences and convictions.
3. Public monitoring - which refers to large scale, systematic monitoring of publicly accessible data.

(Note that ‘systematic’ and ‘extensive’ and ‘large scale’ are not defined categorically in the regulation.)

Additionally, it provides information as to the kind of processing that is likely to need a DPIA such as:
The implementation of new technology;
Processing that involved automated decision-making e.g evaluation or scoring;
The processing bio-metric or genetic data;
Data matching i.e combining data sets from different third parties sources;
Invisible processing - processing of data that was not acquired directly from the data subject but obtained through list brokering, for instance;
Tracking of individuals' behaviour or movements or interactions with devices;
Processing the data of children or vulnerable people for marketing purposes of profiling;
Processing that involves risk of emotional, financial or reputational damage;
Processing that prevents an individual from using a service or exercising a right.

As always, there are exceptions to the rule. An organisation does not have to carry out a DPIA, for example, if it is processing data due to legal obligation or as part of a public task.

DPIA templates can be found on the website of some Supervisory Authorities of member states although it is not compulsory to use them; there is no specific format that a DPIA has to take.

Become a Partner
As a partner you have the option to promote a wide spectrum of GDPR services from the complete GDPR checklist to GDPR managed services. PanoSec have an affiliate program and a channel partner program.
Affiliate Partners
Our affiliate program gives you the opportunity to gain a percentage of any revenue earned from customers you refer to us.

The program works as follows:

1. Create an account: Affiliate Registration
Register via the "Affiliate Registration" button below, then login to your account and click on "Programs".

2. Start promoting PanoSec products!
Once you are in the programs page, get your unique affiliate links and start marketing. You can track all your affiliate referrals in your personal dashboard.
Affiliate registration
Channel Partners
PanoSec Channel Partners Program is focused on technology companies, security VARs, SaaS service providers, business continuity experts and insurance companies who will use PanoSec as a part of their security offer to end users.

Start Now