Member Services

01 23 777 88

or complete our Contact Form

Training

01 23 777 23

or complete our Contact Form

  NEWS

When is a Data Protection Impact Assessment required?

The GDPR defines several situations when a Data Protection Impact Assessment (DPIA) is mandatory:

1. GDPR Article 35(1) requires a DPIA to be conducted in cases where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context and purposes of the type of processing. This is likely to be the case if the processing involves new technologies.

2. GDPR Article 35(3) states that DPIAs are mandatory in a number of processing scenarios. These arise where a data controller performs automated decision-making based on personal data profiling, large scale processing of special categories of data or systematic monitoring of publicly accessible areas on a large scale.

3. Where required by a data protection supervisory authority who in accordance with GDPR Article 35(4) has established a list of specific kinds of processing operation that are likely to result in a high risk to the rights and freedoms of data subjects.

The GDPR states that a DPIA is necessary where an organisation, in particular where using new technologies, processes personal data in way that is likely to result in a high risk to the rights and freedoms of an individual.

In particular, a DPIA is required where an organisation:

  • uses systematic and extensive profiling with significant effects; or
  • processes special category or criminal offence data on a large scale; or
  • systematically monitors publicly accessible places on a large scale.     

For more information please see: https://www.dataprotection.ie/documents/Data-Protection-Impact-Assessment.pdf

If you would like to learn how to do your own DPIA please see here.

Share this article!