Unsure if a DPIA is required? Tips for determining necessity

There are situations in which a processing of personal data creates a high privacy risk. It is then legally required to conduct a Data Protection Impact Assessment (DPIA) before the data processing begins.

A DPIA is designed to identify the risks to the privacy of data subjects in a timely manner. So that you take the right measures to counter the negative consequences. Under the General Data Protection Regulation (AVG), an organization is required to conduct a DPIA for new data processing with an - expected - high privacy risk. A DPIA is also necessary if a processing of personal data changes dramatically, thereby greatly increasing the privacy risks.

The Personal Data Authority (AP) has a list drawn up a list of processing operations for which a DPIA is mandatory in any case. Examples include profiling, blacklists and the deployment of cameras in publicly accessible areas. The European Data Protection Board (EDPB) distinguishes nine criteria to assess the need for a DPIA.

How do you determine whether a DPIA is necessary?

Some tips from our privacy consultants:

• Involve the Data Protection Officer (FG) in a timely manner. The FG advises, for example, on the consideration to initiate a DPIA and on the appropriate research method for it.

• Use the flowchart from the EDBP to determine whether a DPIA is required. For SMEs, the data protection guide from the EDBP is a practical tool.

• Create a pre-DPIA, an abbreviated risk analysis.

• Check whether DPIAs have been conducted for existing processing operations that may fall under the AVG Article 35 obligation. If not, conduct the DPIA as yet.

A DPIA is an important tool to identify privacy risks and to ensure that a processing of personal data complies with the AVG (and other, sector-specific laws and regulations such as the Police Data Act). The execution of a DPIA thus contributes to privacy compliance and to trust in your organization.