Browse resources and find out how to go about conducting Data Protection Impact Assessments
The GDPR introduces in Article 35 the Data Protection Impact Assessment (DPIA) as a mandated assessment for specific cases in which there is a high risk to freedom and the rights of data subjects. These specific cases are elaborated by the Data Protection Working Party (WP29) and the National Authority. The Data Protection Working Party identified nine criteria that should consider evaluating if a process is likely to result in a high risk for the rights and the freedom of the data subject. For European research projects, the criteria are specified in the guidance for the ethics self-assessment5. The DPIA process aims to ensure that controllers adequately address privacy and data protection risks of ‘risky’ processing operations. By providing a structured way of thinking about the risks to data subjects and how to mitigate them, DPIAs help organisations to comply with the requirement of ‘data protection by design’.