A DPIA (Data Protection Impact Assessment) is a formal assessment required by the GDPR for minimising risk to individuals’ privacy and personal data. Under the GDPR, a DPIA must be carried out before beginning any activity related to processing of personal data where privacy rights may be at risk.
The DPIA must include the following type of information (this list is not exhaustive):
- a description of the planned activity/the source of the risk
- the type of information to be processed
- how and why the data is to be processed
- an evaluation of the necessity of the planned activity
- the nature of the risk/s
- the severity of the risk/s
- who the information would be shared with and where in the world
- it would be sent
- how the data is being protected during transmission and storage
- safeguards and mechanisms to be implemented to mitigate risks
For further information about the DPIA and your DPIA obligations, please seek legal advice.