The EU’s General Data Protection Regulation (GDPR) has introduced new rules, which organizations must adhere to, in order to protect the personal information about their clients or individuals who visit their websites.
One of the most significant ways to demonstrate to the authorities that an organisation is compliant with the GDPR is to have a Data Protection Impact Assessment (DPIA). The DPIA should be conducted before the processing and is a continuous process and not merely an occasional exercise.
The requirement for a DPIA, as envisaged in Article 39, specifies that where a type of processing using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
A DPIA is especially prescribed for high-risk processing activities and at least in the following cases:
In relation to Article 39 of the GDPR, the European Data Protection Supervisor (EDPS) has recently adopted and published its list of the kinds of processing operations that require a DPIA, as well as those which, prima facie do not require a DPIA. This list is essential for controllers to enable them to assess whether a DPIA is required and strives to assure those controllers adequately address privacy and data protection risks. It is important to note that this list is not exhaustive.