DPC Guide to Data Protection Impact Assessments (DPIAs)

Ireland’s data protection authority – The Data Protection Commission (‘DPC’) – has published the guidance on Data Protection Impact Assessments (DPIAs) for organisations.

The guidance highlights that under the General Data Protection Regulation (GDPR), DPIAs are mandatory for high-risk processing projects, and the focus of a DPIA should be on the potential harm to the rights or freedoms of data subjects. It also outlines when organisations need to conduct a DPIA, whether DPIAs have to be renewed for existing processing operations, when in a project lifecycle a DPIA should be carried out, who should be involved, and what steps must be followed during a DPIA.

Further, guidance specifies the key stages of a successful DPIA:

  • identifying whether a DPIA is required,
  • defining the characteristics of the project to enable an assessment of the risks to take place,
  • identifying data protection and related risks,
  • identifying data protection solutions to reduce or eliminate the risks,
  • signing off on the outcomes of the DPIA,
  • integrating data protection solutions into the project.