supernav-iconJoin Us at AWS re:Invent 2024

Contact Sales

  • Sign In
  • Get Started
HomeGRC CentralRiskData Protection Impact Assessment

Data Protection Impact Assessment for GDPR: How To Do It Right

Data Protection Impact Assessment for GDPR How To Do It Right

What's Inside

Learn more about data protection impact assessments and discover what you need to know to conduct one yourself.

Contents
What Is a Data Protection Impact Assessment?Why Should You Conduct a DPIA?When to Conduct the AssessmentWho Should Be Involved in a DPIA?How to Perform a Successful Data Protection Impact Assessment

The EU’s General Data Protection Regulation (GDPR) has several rules that organizations must follow to protect data. One of those requirements is to perform a Data Protection Impact Assessment (DPIA) in certain circumstances.

Do you need some guidance on how to manage these rules and requirements? 

In this post we’ll walk you through DPIAs and explain what you need to know to conduct an effective one yourself.

Reduce Manual GDPR Compliance Tasks

See how you can simplify your compliance process with Drata's pre-mapped controls, GDPR-compliant policies, and expert support.

Learn More

What Is a Data Protection Impact Assessment?

A DPIA is a requirement under the GDPR. The goal is to show that you have processes in place and have put thought into:

  • Identifying the potential impact of your processing on individuals’ privacy rights.

  • Assessing the likelihood of any risks occurring, and how serious they may be.

  • Determining whether your current measures are appropriate to deal with those risk.

At its core, a DIPA is a way to document that your organization is being responsible with the data you collect and/or process. This is critical as volumes of data and privacy concerns continue to grow.

Why Should You Conduct a DPIA?

A DPIA isn’t just nice to have. For many organizations, it’s necessary to stay in compliance with the GDPR. According to the regulation, this is when a DPIA is necessary:

“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

Similar to other modern frameworks, this requirement is based on risk. For example, if you track people’s locations or behavior, process special categories of personal data, or monitor a publicly accessible place, you would need to complete one of these assessments to be in compliance with the GDPR.

"Drata keeps us on the right track from a security perspective, and helps cement transparency throughout the entire organization."

Ty Nickel, Sr. Manager of Information Security, Measurabl

Read the Story

When to Conduct the Assessment

For compliance purposes, you must conduct the DIPA prior to launching the project or processing activity. Beyond that, whenever there is a change that could impact your assessment, you should go through the process again.

Those changes include these common scenarios:

  • You need to change existing processes which collect new types of information about individuals.

  • You want to use data in ways not previously done before.

  • Your method of collecting and processing data is changing significantly.

  • A system is being outsourced (either internally or externally).

  • Your company is offering a new product or feature that involves special categories of data such as political opinions or religious beliefs.

There are other scenarios where conducting a DPIA again would make sense. The important thing is to think through any major differences in how you manage data. As your processes and uses of information evolve, your assessments should too. 

Who Should Be Involved in a DPIA?

All those involved in how an organization processes personal data should also be involved in the process of creating and approving a DPIA. For most organizations, this includes a minimum of four role types.

Data Controllers

The person or organization that determines why personal data is collected, stored, and processed. They’re responsible for ensuring that any processing activities are lawful and comply with the GDPR. This could include HR managers or other business leaders responsible for managing employee records.

Data Processor

The person or organization contracted to process personal data on an organization’s behalf. Internally, this is likely to include your IT team. If you outsource any of this work, you may also need involvement from an external team.

Security or Privacy Professionals

A member of staff whose role includes advising on security or privacy matters affecting privacy rights. This person should have knowledge of the company’s cybersecurity or privacy processes and policies.

Data Protection Officer (DPO)

If your organization has established a DPO as part of your compliance with Article 37 of the GDPR, they should be involved in the DPIA as well. 

How to Perform a Successful Data Protection Impact Assessment

When you go to complete the assessment, the GDPR has a set list of features that every DPIA must include. 

Here’s a closer look at what those are:

  • A description of the processing operations and the purposes of the processing

  • An assessment of the necessity and proportionality of the processing

  • An assessment of the risks to the rights and freedoms of data subjects

  • Measures envisaged to address the risks and demonstrate compliance

These guidelines act as a framework to help you understand DPIA requirements. The following steps provide a more concrete path to put your assessment together. 

1. Gain Clarity With Your Data

First, you need to have an internal understanding of where you store personal data and how you plan to (or already) use it. This information acts as the basis for the rest of your assessment.

2. Look at the Data Protection Policies and Risks

What are you currently doing to ensure that data is secure and private? Are there specific risks that your organization faces that you need to be aware of? To answer these questions, you’ll need to look at existing documentation, and how any previous security or privacy issues were addressed.

3. Identify Ways to Protect Data

At this stage, you should be able to recognize where you have any gaps. Then, you can look at data security to see what additional steps you can take to improve your security. 

4. Create a Record of Your DPIA

You’ve put the work in, now you have to make sure that you document it. If you need help organizing your assessment, you can use this helpful template to organize information and gain more insight into the process.

5. Implement New Practices

Finally, take action on anything that you uncover during your DPIA. If there are security risks or better ways to protect data, take steps to address them as soon as possible. 

Centralize and Streamline Your Risk Management Process

Drata automatically matches risks with pre-mapped controls to unlock the power of automated tests and put risk management on autopilot, saving you time, money, and helping your business focus on more strategic objectives

Schedule a Demo

Keep Reading

See More
6 Types of Risk Assessment Methodologies + How to Choose

ARTICLE

6 Types of Risk Assessment Methodologies + How to Choose

Penetration Testing Why It’s Important + Common Types

ARTICLE

Penetration Testing: Why It’s Important + Common Types

Recovery Point Objective (RPO) What It Is + Why It Matters

ARTICLE

Recovery Point Objective (RPO): What It Is + Why It Matters

Risk Register How to Build One + Examples

ARTICLE

Risk Register: How to Build One + Examples

Take Your Learning Further

Discover research, guides, templates, and other resources on risk management.

Explore Risk Hub