The 4 steps to conducting a proper Data Protection Impact Assessment (DPIA)

What is a data protection impact assessment?

The GDPR and the relevant Art. 35 GDPR are vague on what exactly a PIA is. Art. 35 GDPR primarily specifies the circumstances in which a DPIA is required and the minimum content of a DPIA (Art. 35 para. 7 GDPR). However, the law does not provide any information or specifications on the form and procedure to be followed in a DPIA.

Accurate and effective implementation requires more than just a document summarising the risks of processing. Rather, a DPIA is to be understood as a multi-stage process that comprehensively records and analyses the processing activities - also with regard to the scope and purpose of the processing - and also accompanies the technical and organisational implementation for the security of the data.

A DPIA therefore serves to evaluate the processing of personal data on a technical and organisational level, but also on a legal level, taking into account the purposes of the processing.

When does a GDPR data protection impact assessment need to be conducted?

According to Art. 35 para. 1 sentence 1 GDPR, the controller must carry out a DPIA when a form of data processing, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons due to the nature, scope, circumstances and purposes of the processing. The concept of risk is very broad and can refer to any risk of an economic or social nature - Art. 35 para. 1 GDPR does not provide any further details on which processing activities are to be classified as particularly risky.

Due to the increasing use of AI applications in almost all areas of a company, an obligation to conduct a DPIA may arise in particular from the use of new technologies. When introducing new technologies into an organisation, particular attention must be paid to the possible need for a DPIA.

In addition to the general obligation to carry out a DPIA in the event of a probable high risk to the rights and freedoms of data subjects, Art. 35 para. 3 GDPR lists three cases in which a DPIA is always mandatory. Accordingly, a DPIA must be carried out in cases where

1. A systematic and comprehensive evaluation of personal aspects relating to natural persons is carried out, which is based on automated processing, including profiling, and serves as the basis for the decision.
2. Extensive processing of special categories of personal data (Art. 9 para. 1 GDPR) or of personal data relating to criminal convictions or offences pursuant to Art. 10 GDPR.
3. Systematic and extensive monitoring of publicly accessible areas takes place.

Furthermore, Art. 35 para. 4 GDPR obliges the data protection supervisory authorities to draw up a so-called positive list (also known as a black list) of processing activities that necessarily require a DPIA. In Germany, the Conference of Independent Federal and State Data Protection Authorities (DSK) has drawn up and published this positive list.

According to this positive list, a DPIA is required, for example, for extensive processing of personal data on the behaviour of employees that can be used to evaluate their work activities in such a way that legal consequences arise for the data subjects or they are significantly affected in some other way. This may include, in particular, technical applications or tools that enable the monitoring and control of employees.

It should be noted, however, that even if all of these criteria do not apply to the specific processing activity, this does not necessarily mean that a DPIA is not required. The risk of the processing must be determined as part of a threshold analysis. In cases where there is a high risk to the rights and freedoms of natural persons, a DPIA must always be carried out.

How a DPIA works (4 steps)

The basic content of a DPIA can be found in Art. 35 para. 7 GDPR. Accordingly, a DPIA is divided into four parts and must include at least the following:

• a systematic description of the processing operations envisaged and the purposes of the processing, including, where applicable,
• the legitimate interests pursued by the controller, an assessment of the necessity and proportionality of the processing operations in relation to those purposes,
• an assessment of the risks to the rights and freedoms of data subjects and the measures envisaged to address those risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation,
• taking into account the rights and legitimate interests of data subjects and other persons concerned.

Step 1: Describing the processing operations

The description of the proposed processing operations must contain as precise and comprehensive a description as possible of the processing of the data itself and of the data subjects or groups of data subjects. For each processing operation, the legal basis and the purpose of the processing must also be stated.

The description also includes the identification of data sources and any data recipients, such as participating companies, processors or (co-)controllers. Any transfers of data to third countries and the relevant security safeguards must also be documented.

Step 2: Assessment of necessity and proportionality

The assessment of the necessity and proportionality of data processing is again divided into four components. In principle, data processing is proportionate if it

• serves a legitimate purpose,
• is suitable for achieving that purpose,
• is necessary (= required)
• and is appropriate.

The requirement that data processing must serve a legitimate purpose does not generally pose a problem. It will only be lacking in exceptional cases, for example if the data processing is carried out for unfair purposes. The adequacy criterion is met when the intended processing is conducive to achieving the purpose.

In the context of necessity, it must be discussed whether there are equally suitable but milder and less intrusive means for the data subjects. Measures such as erasure policies, which have been implemented to reduce the intensity of the interference, can already be mentioned here.

If there are no equally suitable and less intrusive means of achieving the purposes pursued, the proportionality of the processing operations must be assessed at the end. For this purpose, the interference with the rights of the data subjects should again be weighed against the purposes of the processing, in order to check whether the operation can be considered proportionate overall.

Step 3: Carry out a risk analysis

The risk analysis is a central part of the DPIA and deals with the risks to the data subjects, which must be presented in full here. It is advisable to base the risk analysis on the Standard Protection Model published by the DSK. This defines eight security objectives that can be used to assess the risk of processing operations:

• Confidentiality of the data: Only authorised persons have access to the data
• Integrity: No changes to the data
• Data availability
• Resilience of the technical systems
• Transparency: Traceability of data processing for the controller: Who processes which data and for what purpose? Are the data subjects comprehensively informed?
• Data minimisation: Data processing only to the extent necessary for the purpose
• Intervenability: Data subject rights must be guaranteed
• Non-linking: No linking with other data and no use for other purposes

The DPIA can describe the extent to which these assurance objectives are being met, and the risk can then be assessed on the basis of the likelihood of harm occurring and the magnitude of the harm to those affected. However, this risk assessment should initially be carried out without taking into account any mitigation measures taken or planned. These will be addressed in the next step.

Step 4: Determine mitigation measures

The identified risks must be mitigated by appropriate mitigation measures (in particular technical and organisational measures). The first step is to determine which measures can be considered to minimise the risk. The rights and legitimate interests of the data subjects and other interested parties shall be duly taken into account.

For example, to minimise the risk, stronger encryption could be used or the location of data processing or storage could be moved from a third country to the EU. The specific measures appropriate to mitigate a risk will depend on the processing operation in question and must always be determined on a case-by-case basis.

Data protection impact assessment using the example of video surveillance

An example of a procedure with DPIA is a company's practice of making video recordings outside its opening hours, transmitting them via an unencrypted Wi-Fi connection and storing the recordings for 14 days.

The legal basis for video surveillance is the company's legitimate interests (Art. 6 para. 1 lit. f GDPR). The purpose of video surveillance is to ensure the (physical) security of the company's premises and the protection of its property, as well as to prevent physical attacks. Video surveillance is also conducive to the achievement of the purpose (suitability). As part of the necessity test, consideration can be given to whether a shorter retention period would be equally suitable as a milder means.

The specific design of the video surveillance may indicate that it is not necessary or proportionate at this stage of the assessment and also during the adequacy test.

In any case, the violation of data confidentiality due to unencrypted data transmission and the violation of the principle of data minimisation due to excessive storage time are included in the risk assessment. The result is a high risk. A possible remedy is to encrypt the WLAN transmission using SSL/TLS.

The DSK has also published an opinion on video surveillance of non-public places, which states that the storage period of recordings should be reduced to a maximum of 72 hours. Following the implementation of these two measures, a reassessment shows a low risk. The data protection authority does not need to be consulted.

Who is responsible for carrying out the DPIA in a company?

The question of who is responsible for carrying out a DPIA in a company is also only sparsely answered in Art. 35 para. 1 GDPR. The standard merely states that this must be done by the controller.

The controller is the natural or legal person who decides on the purposes and means of processing (Art. 4 No. 7 GDPR). At first glance, categorisation appears to be simple here, but it can be difficult to determine the exact responsibility, especially when using cloud applications. This is because the providers themselves often act as controllers for individual processing purposes or there is (also) joint controllership. A precise and correct categorisation is crucial for the success of the DPIA.

In principle, the management level is responsible for data protection compliance within a company. If a data protection officer has been appointed for the company, the data protection officer must be involved in carrying out the DPIA (Article 35(2) GDPR). However, the DPO should not carry out the DPIA himself or herself. This could compromise the independence of their advice. This is because it is contradictory for the DPO to advise the controller (Art. 35(2) GDPR) and at the same time carry out the DPIA. This may compromise the independence of his/her advice. However, the DPO must issue an opinion at the end of the DPIA.

In addition, the relevant departments in the organisation (IT, HR, Sales, etc.) should be involved in the DPIA, as they will be familiar with the processing activities on a regular basis. This collaboration will facilitate risk identification and assessment. In addition, the support of the processors is often essential for carrying out the DPIA, as the providers of the tools have more in-depth and comprehensive information.

Before carrying out a DPIA, therefore, an overview should be obtained of the various stakeholders who need to be involved in its preparation.

What are the penalties if a company fails to carry out a DPIA when it is required to do so?

In serious cases, failure to carry out a required DPIA pursuant to Art. 83 para. 4 lit. a GDPR can lead to a fine of up to 10 million euros or up to 2% of the annual worldwide turnover.

In addition, the question arises as to whether the failure to conduct a DPIA also affects the lawfulness of the data processing, and therefore whether there may also be an obligation to pay damages (Art. 82 GDPR) to the data subjects. In a recent judgment of the Administrative Court of Wiesbaden (judgment of 18.12.24 - 6 K 1563/21.WI), the Administrative Court had to decide this question, among others.

The court held that a failure to carry out a PIA or an incorrect PIA does not affect the substantive lawfulness of the processing operation. Accordingly, data subjects cannot claim damages for a missing or inadequate DPIA.

What action should be taken if a high privacy risk is identified?

If a high or even very high risk is identified during the DPIA, the first step is to assess whether the risk can be mitigated through mitigation measures, such as technical and organisational measures. If such measures still fail to minimise the risk, it should be considered whether the processing operation as a whole can be adapted. This can be done, for example, by adapting the use case or limiting the scope of the data processing.

If there is still a high risk, the controller must notify the competent supervisory authority in accordance with Art. 36 GDPR. In this consultation procedure, the controller must decide, taking into account the recommendation of the supervisory authority, whether the processing activity can take place in view of the remaining residual risks and, if necessary, what additional remedial measures can be taken.

Does a data protection impact assessment have to be carried out once or regularly?

A DPIA is not a one-off exercise. The controller cannot and should not sit back and relax once the DPIA has been completed. Rather, the DPIA needs to be reviewed at regular intervals to ensure that the risk assessment is still up to date and accurate.

The reason for reviewing and, if necessary, adjusting the DPIA may be, for example, that the data processing has changed in scope or intensity. New software features may also lead to a new or even different assessment, for example when an existing tool is extended to include an AI application.

In this respect, it is important to maintain an overview of the processing activities and to consider whether changes to existing processing activities will result in changes to the risk assessment and evaluation. It is therefore advisable to set a specific date for resubmission or review once the DPIA has been completed for the first time. This will ensure that the DPIA is always up to date.

How can ISiCO help you with Data Protection Impact Assessments?

Whether embedded in an overarching data protection management system or related to a specific project, we are your partner for the support and implementation of Data Protection Impact Assessments. Benefit from our expertise in conducting a DPIA and our cross-industry experience.

In a no-obligation initial consultation, we clarify your needs and lay the foundations for our collaboration. We analyse the proposed data processing in detail to identify the types of data, the purpose of the processing and the systems involved. We then assess the risks to data subjects and define appropriate safeguards.

We help with documentation and regular reviews to ensure ongoing compliance and security.