Data Protection Impact Assessment

Order a personal data protection impact assessment service for your company.




A Data Protection Impact Assessment (DPIA) is a procedure provided for in Article 35 of the GDPR. It consists of identifying and describing all processes involving personal data within a company. A DPIA is conducted to assess the data protection risks, search for the most vulnerable points in the security system, but most importantly — to develop procedures intended to prevent data breaches. 


Results of the DPIA are summarised in a table that describes: 

  • The categories, goals, and volumes of personal data processed by the company; 
  • The processes of data collection and processing; 
  • The employees, contractors and subcontractors involved in the process; 
  • The identified risks, weaknesses, and possible threats; 
  • The planned actions in the event of a privacy breach. 


Conducting a DPIA is necessary in two cases: either immediately before the start of the collection and processing of personal data, or in the event of significant changes in the company's already investigated processes. For example, if you launch a new product, you must conduct a DPIA to assess the risks associated with the processing of personal data. Alternatively, the assessment is necessary when the processing environment changes (new hardware, software, processing rules are introduced), or when new categories of data are added to an already well-established process. 

It is also necessary to carry out an assessment in the following situations: 

1.Converting paper records and documents into electronic documents. 

2. Combining multiple databases into one. 

3. Incorporating personal data obtained from commercial sources into the company's existing database. 

4. Making changes to the business process that leads to the collection and use of personal data. 

5. Implementing projects using third-party suppliers. 

6. Changes in personal data due to the addition of new types of information. 

7. Adding new features to an existing product or service. 


The regulation does not set out a clear frequency for conducting a DPIA, since its frequency depends directly on the company's activities. The intention behind the regulation is that every time you start a new project involving personal data, you must conduct a DPIA. 

Interviewing employees, analyzing documents, searching for and detailing business processes that pose risks to users’ privacy is a long and tedious process that requires attention to detail.

We suggest that you don't waste time searching where the shoe pinches yourself, but instead seek help from certified data protection specialists who have conducted dozens of Data Protection Impact Assessments and know all the ins and outs of the procedure. 


Duration Duration
Less than 1 week
Price Price
€200+ / h.


Maria Arnst CIPM, TÜV, Strategic Privacy by Design, DPP
Data Protection Officer, GDPR Consultant, Privacy researcher
Certified Information Privacy Manager, member of International Association of Privacy Professionals with experience of being a Data Protection Officer for European companies, including those focused on privacy and data security. Certified as Data Protection Officer by TÜV (Germany's leading and one of the world's leading independent testing and certification services group), trained in Strategic Privacy by Design.
Pavel Lazavenka LLB, GDPR DPP, Strategic Privacy by Design
GDPR Consultant
LLB, GDPR Data Privacy Professional. Specializes in Data Processing Agreements, drafting and auditing of privacy notice (privacy policy), DSARs management. Able to assist you with the DPIA and LIA. Trained in Strategic Privacy by Design.


Comply with the requirements of Article 35 of the GDPR.
Make a complete inventory of treatments, systems and contractors.
Identify unused categories of processed data and get rid of them, thereby reducing the Penalties under the GDPR for the company.
Demonstrate to partners, customers, and employees your commitment to law enforcement.

Phases of work

Step 1. Identification of the context, value, and scope of processing. 

Step 2. Identification and analysis of the mechanisms that allow data subjects to exercise their rights. 

Step 3. Analysis of the data protection mechanisms implemented. 

Step 4. Identification of the at-risk actors involved in the processing, sources of threats, and potential breaches of privacy. 

Step 5. Evaluation of the likelihood of risk and severity of consequences for data subjects. 

Step 6. Selection of tactics to minimize the risk, development of the action plan, time frames, and people responsible for data security. 


What do you get by completing a DPIA?

Compliance with Article 35 of the Regulation in case of inspection by the Supervisory authority. 

A table describing the movement of all personal data in the company to further work towards compliance. 

Summary on the DPIA conducted to demonstrate your company's compliance with the GDPR to customers and partners.


Our consultants have developed several DPIA checklists to comply with the GDPR: 

  1. We provide training so that our staff understand the need to consider a DPIA at the early stages of any plan involving personal data.
  2. Our existing policies, processes, and procedures include references to DPIA requirements.
  3. We understand the types of processing that require a DPIA and use the screening checklist to identify the need for a DPIA, where necessary.
  4. We have created and documented a DPIA process.
  5. We provide training for relevant staff on how to carry out a DPIAs.
  1. We consider carrying out a DPIA in any major project involving the use of personal data.
  2. We consider whether to do a DPIA if we plan to carry out any other:
  • evaluation or scoring; 
  • automated decision-making with significant effects; 
  • systematic monitoring; 
  • processing of sensitive data or data of a highly personal nature; 
  • processing on a large scale; 
  • processing of data concerning vulnerable data subjects; 
  • innovative technological or organisational solutions; 
  • processing that involves preventing data subjects from exercising a right or using a service or contract. 

     3.We always carry out a DPIA if we plan to: 

  • use systematic and extensive profiling or automated decision-making to make significant decisions about people; 
  • process special-category data or criminal-offence data on a large scale; 
  • systematically monitor a publicly accessible place on a large scale; 
  • use innovative technology in combination with any of the criteria in the European guidelines; 
  • use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit; 
  • carry out profiling on a large scale; 
  • process biometric or genetic data in combination with any of the criteria in the European guidelines; 
  • combine, compare or match data from multiple sources; 
  • process personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the European guidelines; 
  • process personal data in a way that involves tracking individuals online or offline location or behaviour, in combination with any of the criteria in the European guidelines; 
  • process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them; 
  • process personal data that could result in a risk of physical harm in the event of a security breach. 
  1. We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.
  2. If we decide not to carry out a DPIA, we document our reasons.
  1. We describe the nature, scope, context and purposes of the processing.
  2. We ask our data processors to help us understand and document their processing activities and identify any associated risks.
  3. We consider how best to consult individuals (or their representatives) and other relevant stakeholders.
  4. We ask for the advice of our data protection officer.
  5. We check that the processing is necessary for and proportionate to our purposes and describe how we will ensure compliance with data protection principles.
  6. We do an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests.
  7. We identify measures we can put in place to eliminate or reduce high risks.
  8. We record our decision-making in the outcome of the DPIA, including any difference of opinion with our DPO or individuals consulted.
  9. We implement the measures we identified and integrate them into our project plan.
  10. We consult the ICO before processing, if we cannot mitigate high risks.
  11. We keep our DPIAs under review and revisit them when necessary.
    •           confirmed whether the DPIA is a review of pre-GDPR processing or covers intended processing, including timelines in either case; 
    • explained why we needed a DPIA, detailing the types of intended processing that made it a requirement; 
    • structured the document clearly, systematically and logically; 
    • written the DPIA in plain English, with a non-specialist audience in mind, explaining any technical terms and acronyms we have used; 
    • set out clearly the relationships between controllers, processors, data subjects and systems, using both text and data-flow diagrams where appropriate; 
    • ensured that the specifics of any flows of personal data between people, systems, organisations and countries have been clearly explained and presented; 
    • explicitly stated how we are complying with each of the Data Protection Principles under GDPR and clearly explained our lawful basis for processing (and special category conditions if relevant); 
    • explained how we plan to support the relevant information rights of our data subjects; 
    • identified all relevant risks to individuals’ rights and freedoms, assessed their likelihood and severity, and detailed all relevant mitigations; 
    • explained sufficiently how any proposed mitigation reduces the identified risk in question; 
    • evidenced our consideration of any less risky alternatives to achieving the same purposes of the processing, and why we didn’t choose them; 
    • given details of stakeholder consultation (e.g., data subjects, representative bodies) and included summaries of findings; 
    • recorded the advice and recommendations of our DPO (where relevant) and ensured the DPIA is signed off by the appropriate people; 
    • agreed and documented a schedule for reviewing the DPIA regularly or when we change the nature, scope, context or purposes of the processing; 
    • have consulted with the supervisory authority as to whether there are any further residual high risks we cannot mitigate. 


    The course is loading, wait a few seconds