Carrying out a Data Protection Impact Assessment (assessment of possible privacy and data protection risks in a new project or change to existing processes) is a requirement of GDPR for higher risk projects.  GDPR refers to the controller seeking advice from the DPO when carrying out a DPIA in Article 35 and the DPO is under a duty to provide advice where requested on the conduct of DPIAs and to monitor the performance of DPIAs carried out by the controller (Article 39(1)).  The European Data Protection Board (“EDPB”) (which issues opinions and guidance on GDPR) also confirms that the DPO should be involved in DPIA risk assessments as an important part of the role.

According to the EDPB the controller is under a duty to carry out a Data Protection Impact Assessment (“DPIA”) when the risks presented by a type of processing (in particular using new technologies) taking into account the nature, scope, context and purposes of the processing, are likely to result in a risk to the rights and freedoms of natural persons.

In practice it can be difficult to assess the level of risk that a change to processing presents without undertaking the DPIA and we would always advise carrying out a DPIA for any new project unless there is no personal data processing involved.

How to carry out a DPIA risk assessment

A DPIA is a review of the data protection impacts on any given project or process change.  The reviewer (which works best as a team of people with different inputs, IT, marketing, compliance etc) needs a list of data protection issues – fair processing, data retention, data minimisation, security etc – and should consider whether or not the project or process change is impacted by any of these issues.  Initially the DPIA should highlight these potential impacts allowing team members to carry out further research, take advice and identify possible solutions.  Ideally it should be carried out at the very commencement of a project or process change so that planning and development can take account of potential impacts.  The process should be repeated throughout the development to manage issues as they are identified and record how they are resolved.

Documenting the DPIA is essential to record impacts identified, possible solutions and the final approved plan that is put into place to manage or resolve issues.  Documentation provides evidence of compliance controls for accountability.  Accountability is one of the data protection principles.  It states that controllers are responsible for complying with the GDPR and that they must be able to demonstrate compliance.

Data Protection Consulting offers support for carrying out and monitoring the performance of DPIAs.  There is an easy to use template in our DPO Support Package and the DP-Smart Toolkit also includes a good template.  Contact us now at or use the contact form on this website.