Data Protection Impact Assessment (DPIA)

The Regulation establishes that it must be carried out when it is likely that a treatment entails a high risk to people. It does not describe what constitutes high risk, but says that aspects such as the use of new technologies, as well as the nature, scope, context and purpose of the processing, must be taken into account.

In particular, the Regulation requires that a DPIA be carried out in the following 3 cases:

• Systematic evaluation of personal aspects based on automated processing, on which decisions are made that significantly affect people.
• Large-scale processing of special categories of data or data relating to criminal offences or convictions.
• Large-scale systematic observation of a public access area.

In addition, it requires each data protection authority to publish a list of processing operations that require a DPIA. In the case of the Catalan Data Protection Authority, this list can be consulted here. For organisations under the jurisdiction of the Spanish authority, the list can be consulted here.

It may also be necessary to carry out an impact assessment as a result of the extra guarantees required by the Regulation for processing for archiving purposes in the public interest, statistics or scientific or historical research, if so determined by the legislation of the Member State (the LOPDGDD, in our case).

On the contrary, the Regulation exempts from carrying out an impact assessment on processing based on a legal obligation or in the public interest, when there is a law of the member state or of the Union that regulates it and the impact assessment has been carried out in the process of approving this law.

In case of doubt, it is recommended to carry out an impact assessment, especially in the most complex treatments.

In general, the impact assessment does not have to be communicated to the Authority. The data controller must keep it, in case the Authority requires it.