DPIAs and why every organization needs to conduct them

What is a DPIA?

A DPIA (data protection impact assessment) is, effectively, a type of risk assessment. A core part of a DPIA is identifying risks and working out how likely they are to occur and the impact they would have. More specifically, a DPIA is an assessment of how a particular process will impact the protection of personal data, and its checklist of requirements differs to that of a typical information security risk assessment.

“A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.” – WP29 (Article 29 Working Party)

DPIAs are important tools for accountability. Described in Article 35 of the GDPR (General Data Protection Regulation), they are just one of the requirements that organizations need to comply with in order to protect the personal data they process. DPIAs help controllers not only comply with the requirements of the Regulation but also demonstrate that appropriate measures have been taken to ensure that compliance.

DPIAs are sometimes referred to as PIAs (privacy impact assessments). The terms are effectively interchangeable, but the GDPR refers exclusively to DPIAs, so that’s the term we use.

Why use the DPIA Tool?

Organizations that need to be GDPR compliant, also need to undertake a DPIA or at least answer the qualifying questions to find out if a DPIA is required.

When is a DPIA required? 

A DPIA is required if a process is likely to result in a high risk to the rights and freedoms of data subjects (see below). This comprises:

  • Using automation to make decisions that could significantly affect an individual;
  • Processing sensitive data (health data, political views, sexuality, etc.) on a large scale; and
  • Monitoring public areas on a large scale.

What is a data subject?

A data subject is any natural person (i.e. a living individual) whose personal data is processed by the organization. Data subjects might be employees, contractors, etc., as well as customers. Examples include advisers, agents, applicants, complainants, consultants, contractors, correspondents, enquirers, members, patients, representatives, researchers, students, suppliers, temporary workers and volunteers.

What constitutes a high-risk process?

A high-risk process is anything that meets the criteria outlined in Article 35 of the GDPR and guidance provided by the ICO and the WP29 (now replaced by the European Data Protection Board, which has endorsed the WP29’s DPIA guidelines). Identifying high-risk processes can be difficult, but any process that meets the criteria in the GDPR or guidance given by the ICO and the WP29 should definitely be considered high risk.

Who should conduct a DPIA?

  • The controller is responsible for conducting DPIAs where they are required (as per Article 35).
  • The processor is obliged to assist the controller with its DPIAs (as per Article 28,3(f)).

What is the DPIA Tool?


Our tool walks customers through the six steps they must complete as part of a DPIA.

  • Step 1 – Process description: Contains a questionnaire that prompts users for information about the process in question.
  • Step 2 – Screening questions: Contains screening questions that help users work out if they need to conduct a DPIA.
  • Step 3 – Consultation: Contains a questionnaire that prompts users for information about the parties they’ve consulted (such as data subjects or their representatives).
  • Step 4 – Principles questionnaire: Contains a questionnaire prompting users to provide information about the necessity and proportionality of processing — e.g. what measures they have in place to uphold data protection principles, data subject rights, etc.
  • Step 5 – Privacy risk assessment: Gives users the means to identify individual risks to the rights and freedoms of data subjects, including evaluating levels of risks and determining risk responses.
  • Step 6 – Review: Contains a brief questionnaire asking users about whether the DPIA has been reviewed and whether the process is authorized to go ahead.


The tool is didactic, meaning that you don’t have to be an expert to complete a DPIA. The tool will make sure that you answer all the right questions. Wherever possible, references are included in the relevant sections of the GDPR, so it’s straightforward to check why a question is being asked and its context.

Purchase our DPIA tool here >>

The DPIA Tool is aligned with guidance from both the ICO and the WP29, ‘guaranteeing comprehensive DPIAs’.

For further information on how our DPIA Tool can help your organization stay GDPR cyber compliant, speak to our experts. If you’d like to see the tool in action, book a one-to-one demonstration today.

                                                                             Get in touch now »