Data Protection Impact Assessments

Article 35 of the General Data Protection Regulation requires that an impact assessment be prepared for data processing which poses a high risk to personal data These Data Processing Impact Assessments are particularly recommended in the following situations:


1. Personal profiling which affects the legal rights of individuals.

2. Processing of data regarding criminal records.

3. Processing of data on the race, ethnicity, political beliefs, religious beliefs, health, sexual orientation, or trade union membership of individuals.

4. Large scale monitoring of a public area.


The list of processing operations covered by the assessment must be made available to the public.


The assessment has to include the following:

  1. A systematic description of processing operations.

  2. An assessment of the necessity and proportionality of the processing operations in relation to their purposes.

  3. The measures taken to safeguard the personal data.


The views of the data subjects must be solicited for the DPIA.


The DPIA must be updated when the risk to the personal data changes.


The Information Commissioner's Office of the United Kingdom has posted a sample template for a Data Processing Impact Assessment. Among other things, the template requires that a plan be prepared about how to consult relevant stakeholders; and descriptions be given of each type of risk the processing poses, indicating the likelihood of harm, severity of harm, and overall degree of risk. An organization's Data Protection Officer has to sign off on the assessment.