Examples
Worked examples
- Is an instance
Before launching a wearable-sensor mental-health study that combines geolocation with mood reports, the research team completes a DPIA documenting pseudonymisation, encrypted storage, and a defined retention schedule.
- Is an instance
A university implementing a campus-wide CCTV analytics pilot conducts a DPIA, identifies residual high risk to staff and students, and consults the supervisory authority under Article 36.
Counter-examples
Looks similar, but isn't
- Not an instance
A small-scale researcher survey collecting only name and email of voluntary participants for a single course evaluation typically does not meet Article 35 thresholds.
- Not an instance
Processing of fully anonymous statistical data does not require a DPIA under the GDPR.
Editorial commentary
A DPIA must be carried out prior to commencing processing and, at a minimum, must contain a systematic description of the envisaged operations and purposes, an assessment of necessity and proportionality in relation to the purposes, an assessment of risks to the rights and freedoms of data subjects, and the measures envisaged to address those risks. Article 35(3) lists mandatory DPIA triggers including systematic and extensive evaluation of personal aspects based on automated processing, large-scale processing of special-category data, and systematic monitoring of publicly accessible areas. National supervisory authorities publish additional lists. Where residual high risk remains after mitigation, the controller must consult the supervisory authority under Article 36.
References
- GDPR Regulation (EU) 2016/679 Article 35 Data protection impact assessment
- Article 29 Working Party Guidelines on Data Protection Impact Assessment (WP248 rev.01)
- UK Information Commissioner's Office Sample DPIA template and guidance
Also known as
DPIA · Privacy Impact Assessment · PIA
Machine-readable encodings
Use in your systems
<role vocab="credit"
vocab-identifier="https://casrai.org/dictionary/"
vocab-term="Data Protection Impact Assessment (DPIA)"
vocab-term-identifier="https://casrai.org/dictionary/term/data-protection-impact-assessment-dpia" />{
"@context": "https://schema.org",
"@type": "DefinedTerm",
"name": "Data Protection Impact Assessment (DPIA)",
"identifier": "https://casrai.org/dictionary/term/data-protection-impact-assessment-dpia",
"description": "A documented assessment required under Article 35 of the GDPR where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, describing the processing, assessing necessity, proportionality, and risks, and identifying mitigating measures.",
"inDefinedTermSet": "https://casrai.org/dictionary/domain/compliance-and-regulatory/",
"url": "https://casrai.org/dictionary/term/data-protection-impact-assessment-dpia",
"sameAs": [
"DPIA",
"Privacy Impact Assessment",
"PIA"
],
"license": "https://creativecommons.org/licenses/by/4.0/"
}
