Arrange a Consultation

What is a “DPIA” and do I as Data Controller need to worry about it?

Apr 4 - Brian Siney

Featured in JEP’s Expert Panel – 4th April 2018


“DPIA” stands for data protection impact assessment and A35 of the GDPR law outlines in detail what it is, when it should be undertaken and what it should cover.

There seems to be a lot of confusion within some organisations about DPIA’s and I’ve heard it repeatedly mis-stated as being a GDPR audit or data mapping exercise. It is neither. In practice, a DPIA can only be undertaken when the first part of the GDPR project, i.e. data mapping, has been comprehensively completed.

DPIA must be undertaken where there’s plans for new technologies to be deployed in the large-scale processing of sensitive personal data that could result in a “high risk” to the rights and freedoms of natural persons. The nature, scope, context and purposes of the new processing must be assessed, with examination of the necessity, proportionality, level of changing risks to personal data and it must identify exactly what remedies will be applied to managed and reduce this risk.

It is mandatory for processes that deal with special category data, criminal convictions/offences, produce legal decisions or significantly affects a person after a systematic and extensive evaluation of personal aspects, including profiling.

Ensure Your Business is GDPR Compliant Today!

Contact me today and arrange a consultation…

Be Secure is a Jersey-based data consultancy business specialising in GDPR data protection, data privacy and cyber security. Leveraging extensive experience of founder Brian Siney, Be Secure offers a unique business focus and perspective for managing GDPR.

Send me a message

Call me on 07797 738743

More from the blog

Back to Blog home