Data Protection Impact Assessment (DPIA)
Data Controllers and Data processors often, during the up to standard phase, are put in front of this unknown acronym: DPIA .
What is this about and when a DPIA is performed?
Art. 35 of the Regulation introduces the Data protection Impact Assessment, without providing an univocal definition.
Based on the EDPB (European Data Protection Board – ex Working Party WP 29) it is however possible to identify DPIA as a procedure finalized to describe the processing of personal data, assessing at the same time its actual conformity to the principles of necessity and proportionality and the adequate measures for removing the risks for the rights and freedoms of the data subjects involved..
he DPIA is thus an essential tool in the light of the Data Controller accountability since it helps the latter to comply with GDPR requirements as well as to demonstrate to have taken all the necessary measures to ensure compliance with said obligations in relation to the processing that, for the high level of risks involved, are especially sensitive.
It is necessary to perform a DPIA each time a processing falls within the provision of art. 35 paragraphs 1 and 3 of the Regulation, even if best practices suggest to perform it anyway in certain cases, in order to correctly map the risk of a processing.
In other words,DPIA is a procedure that allows to realize and demonstrate the processing of personal data’s compliance to the privacy rules.