Data Protection Impact Assessment DPIA

Mandatory if processing is likely to result in a high risk.

In regards to its nature, scope, context and purpose (e.g new technology).

Shall be carried out by the controller and prior to the processing.

Mandatory, for instance, where automated processing, such as profilingNew.

Content requirements of DPIA.

Detailed description of the processing (purpose, legitimate interest).

Assessment of the necessity and proportionality.

Assessment of risks and measures.

Prior consultation.

Consultation with Supervisory Authority required where DPIA reveals high risk is likely to occur if necessary measures are not taken.

Supervisory Authority shall answer within 8 weeks (14 extendable).

Accountability important components.

Compliance with codes of conducts to mitigate assessed impact (namely in DPA).

Certifications participate to demonstrate accountability.