Data Protection Impact Assessment



The General Data Protection Regulation (GDPR) prescribes that a data subject (users, product and service clients, staff) must be provided with a whole list of up-to-date information. This list is outlined in Article 13, 14 of the GDPR. It includes the contact details of your DPO (Data Protection Officer), purposes and legal basis of each processing, categories of processed data, facts and conditions of transboundary transfer, reference to subject rights, etc. There are cases when companies got fined for having not fulfilled these requirements.



  1. Сheck internally written privacy policy for gaps, shortcomings or serious mistakes.
  2. Get an opinion on the compliance of your privacy policy with the GDPR requirements or a list of shortcomings with recommendations for correcting them.
  3. Secure your own business against complaints of data subjects and inspections (therefore fines) of supervisory authorities.
  4. Demonstrate to partners, clients and staff your commitment to transparency and enforcement of laws.
Duration Duration
Less than 1 week
Price Price
€200+ / h.

Phases of work

Step 1.

Identification of the context, value, and scale of processing.

Step 2.

Identification and analysis of the mechanisms that allow data subjects to exercise their rights.

Step 3.

Analysis of the implemented data protection measures of personal data protection.

Step 4.

Identification of the at-risk individuals involved in the processing, threat sources, and potential violations of privacy.

Step 5.

Evaluation of the probability of risk and severity of consequences for the data subjects.

Step 6.

Selection of tactics to minimize the risk, development of the action plan, time frames, and people responsible.




1.We provide training so that our staff understand the need to consider a DPIA at the early stages of any plan involving personal data.

2.Our existing policies, processes and procedures include references to DPIA requirements.

3.We understand the types of processing that require a DPIA, and use the screening checklist to identify the need for a DPIA, where necessary.

4.We have created and documented a DPIA process.

5.We provide training for relevant staff on how to carry out a DPIA.

1.We consider carrying out a DPIA in any major project involving the use of personal data.
2.We consider whether to do a DPIA if we plan to carry out any other:
  • evaluation or scoring;
  • automated decision-making with significant effects;
  • systematic monitoring;
  • processing of sensitive data or data of a highly personal nature;
  • processing on a large scale;
  • processing of data concerning vulnerable data subjects;
  • innovative technological or organisational solutions;
  • processing that involves preventing data subjects from exercising a right or using a service or contract.
3.We always carry out a DPIA if we plan to:
5.We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.
6.If we decide not to carry out a DPIA, we document our reasons.
1.We describe the nature, scope, context and purposes of the processing.
2.We ask our data processors to help us understand and document their processing activities and identify any associated risks.
3.We consider how best to consult individuals (or their representatives) and other relevant stakeholders.
4.We ask for the advice of our data protection officer.
5.We check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure compliance with data protection principles.
6.We do an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests.
7.We identify measures we can put in place to eliminate or reduce high risks.
8.We record our decision-making in the outcome of the DPIA, including any difference of opinion with our DPO or individuals consulted.
9.We implement the measures we identified, and integrate them into our project plan.
10.We consult the ICO before processing, if we cannot mitigate high risks.
11.We keep our DPIAs under review and revisit them when necessary.
  • confirmed whether the DPIA is a review of pre-GDPR processing or covers intended processing, including timelines in either case;


Maria Arnst CIPM, TÜV, Strategic Privacy by Design, DPP
Data Protection Officer, GDPR Consultant, Privacy researcher
Certified Information Privacy Manager, member of International Association of Privacy Professionals with experience of being a Data Protection Officer for European companies, including those focused on privacy and data security. Certified as Data Protection Officer by TÜV (Germany's leading and one of the world's leading independent testing and certification services group), trained in Strategic Privacy by Design.
Pavel Lazavenka LLB, GDPR DPP, Strategic Privacy by Design
GDPR Consultant
LLB, GDPR Data Privacy Professional. Specializes in Data Processing Agreements, drafting and auditing of privacy notice (privacy policy), DSARs management. Able to assist you with the DPIA and LIA. Trained in Strategic Privacy by Design.


    The course is loading, wait a few seconds