The GDPR defines several situations when a Data Protection Impact Assessment (DPIA) is mandatory:
1. GDPR Article 35(1) requires a DPIA to be conducted in cases where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context and purposes of the type of processing. This is likely to be the case if the processing involves new technologies.
2. GDPR Article 35(3) states that DPIAs are mandatory in a number of processing scenarios. These arise where a data controller performs automated decision-making based on personal data profiling, large scale processing of special categories of data or systematic monitoring of publicly accessible areas on a large scale.
3. Where required by a data protection supervisory authority who in accordance with GDPR Article 35(4) has established a list of specific kinds of processing operation that are likely to result in a high risk to the rights and freedoms of data subjects.
The GDPR states that a DPIA is necessary where an organisation, in particular where using new technologies, processes personal data in way that is likely to result in a high risk to the rights and freedoms of an individual.
In particular, a DPIA is required where an organisation:
For more information please see: https://www.dataprotection.ie/documents/Data-Protection-Impact-Assessment.pdf
If you would like to learn how to do your own DPIA please see here.