{"id":2926,"date":"2017-10-10T14:14:00","date_gmt":"2017-10-10T20:14:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&p=2926"},"modified":"2025-05-22T11:06:18","modified_gmt":"2025-05-22T16:06:18","slug":"data-protection-impact-assessment-article35","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/data-protection-impact-assessment-article35\/","title":{"rendered":"Your EU GDPR Article 35: Data Protection Impact Assessment (DPIA) Cheat Sheet"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tArticles<\/strong>\n\t\t\t\t\t\t\t\t\t\t

Your EU GDPR Article 35: Data Protection Impact Assessment (DPIA) Cheat Sheet<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\"\"\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tAnnie Greenley-Giudici<\/strong>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/span>\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Data Protection Impact Assessment introduction and background<\/h2>\n

The GDPR compliance<\/a> deadline has passed, so organizations should have a documented process for conducting Data Protection Impact Assessments (DPIAs) and Privacy Impact Assessments (PIAs).<\/p>\n

However, before building a DPIA program, it is useful to review and understand what a DPIA is, when it is needed, and how it should be conducted.<\/p>\n

What is Data Protection Impact Assessment (DPIA)?<\/h2>\n

A DPIA is designed to help an organization with risk assessment associated with data processing activities that may pose a threat or high risk to the rights and freedoms of individuals.<\/p>\n

A privacy impact assessment helps to identify privacy risks during the development of a program life cycle.<\/p>\n

A PIA outlines how personal information will be handled and secured to maintain privacy.<\/p>\n

When is a DPIA required?<\/h2>\n

The GDPR requires that DPIAs be conducted before a processing activity takes place that may pose a \u201chigh risk\u201d to the rights and freedoms of individuals.<\/p>\n

The GDPR does not define the types of processing that are likely to result in such a risk.<\/p>\n

The\u00a0Article 29 Working Party<\/a>\u00a0has, however, provided sample categories of high-risk processing, which can serve as a guide.<\/p>\n

The categories include profiling and predictive processing, automated-decision making that has legal effects, systematic monitoring, the processing of sensitive data, and processing that relies on new technology.<\/p>\n

One example of high-risk processing in the evaluation or scoring category would be conducting credit checks.<\/p>\n

While the GDPR does not dictate the specific requirements of how organizations are supposed to conduct DPIAs, it does provide four elements that a DPIA assessment must contain:<\/strong><\/p>\n