Iubenda logo
Start generating


Table of Contents

Privacy impact assessment: DPIA

What is a privacy impact assessment? When is it needed? Is it mandatory to carry out a DPIA? 

This post explains what a privacy impact assessment is and provides you with a DPIA template. 


What is a DPIA and when is it required?

DPIA stands for Data Protection Impact Assessment. It is a process that organizations must undertake to identify and minimize data protection risks when implementing a new project, system, or process. DPIA is required by the General Data Protection Regulation (GDPR) whenever the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals, such as when processing sensitive personal data, using new technologies, or conducting large-scale processing activities.

What is a privacy impact assessment?

A Privacy Impact Assessment, also known as Data Protection Impact Assessment (DPIA), is a process that can help an organization analyze and minimize the risks connected to the processing of personal data. 

An effective DPIA is a useful tool to make sure organizations meet the requirement of “privacy by design”, which means that they have the technical and organizational measures in place to avoid data security risks. That’s why it’s important to carry out a privacy impact assessment before starting a new data processing activity.

Moreover, a DPIA can also help mitigate the risk of fines, sanctions, and reputation damage that might otherwise affect the organization.

When is a data privacy impact assessment needed?

Article 35 of the GDPR states that a privacy impact assessment should be undertaken only when the processing is likely to result in a high risk to the rights and freedoms of users

“High risk” data processing activities include:

  • large-scale processing of sensitive data;
  • systematic monitoring of a publicly accessible area (e.g., CCTV);
  • situations where there are extensive automated evaluations of personal data intended to influence decisions and significantly affect the user’s life (profiling).

A DPIA can also be required in other circumstances. 
For example, when the processing of data concerning vulnerable persons (e.g., children, the elderly) is involved, when there are data transfers outside the EU, and when data is being used in profiling. 

Each situation should be evaluated independently in these cases, but you can always check these guidelines for reference.

Please, keep in mind that if you’re not sure whether your processing activity can be considered “high risk,” it’s recommended to carry out a data privacy impact assessment anyway. 

Privacy impact assessment template

According to the UK’s Information Commissioner Office, a privacy impact assessment should:

  • describe the nature, scope, context, and purposes of the processing;
  • assess necessity, proportionality, and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks.

Since writing a DPIA yourself can be tricky, a template can always come in handy! 

Click here to download this free DPIA template (.docx direct download)

Not sure if you need a DPIA?

Take this free 1-min quiz