Data Protection Impact Assessment

The General Data Protection Regulation (GDPR) prescribes that a data subject (users, product and service clients, staff) must be provided with a whole list of up-to-date information. This list is outlined in Article 13, 14 of the GDPR. It includes the contact details of your DPO (Data Protection Officer), purposes and legal basis of each processing, categories of processed data, facts and conditions of transboundary transfer, reference to subject rights, etc. There are cases when companies got fined for having not fulfilled these requirements.

If you took the right decision and developed a privacy policy by yourself, you need to check it for compliance with the GDPR.


  • to check internally written privacy policy for gaps, shortcomings or serious mistakes;
  • to get an opinion on the compliance of your privacy policy with the GDPR requirements or a list of shortcomings with recommendations for correcting them;
  • to secure your own business against complaints of data subjects and inspections (therefore fines) of supervisory authorities;
  • to demonstrate to partners, clients and staff your commitment to transparency and enforcement of laws.
Duration Duration
Less than 1 week
Price Price
€200+ / h.

Phases of work

Text analysis of privacy policy for GDPR-compliance
Using a checklist of our own design, we determine the degree to which your privacy policy meets the requirements of the GDPR and the Guidelines on Transparency
List of shortcomings and recommendations
After the audit, you will not be left alone with the results. You will receive our recommendations for correcting shortcomings, so you can become GDPR-compliant!
Work review by another consultant
We always guarantee the quality of our services, as the final report is checked by another experienced consultant
Presentation and discussion of the final report
Explaining our recommendations extensively, we will not leave unanswered any questions regarding the compliance with Articles 13 and 14 of the GDPR!



Клик на "" откроет описание каждого пункта.

DPIA awareness checklist
We provide training so that our staff understand the need to consider a DPIA at the early stages of any plan involving personal data
Our existing policies, processes and procedures include references to DPIA requirements
We understand the types of processing that require a DPIA, and use the screening checklist to identify the need for a DPIA, where necessary
We have created and documented a DPIA process
We provide training for relevant staff on how to carry out a DPIA
DPIA screening checklist
We consider carrying out a DPIA in any major project involving the use of personal data
We consider whether to do a DPIA if we plan to carry out any other:
evaluation or scoring;
automated decision-making with significant effects;
systematic monitoring;
processing of sensitive data or data of a highly personal nature;
processing on a large scale;
processing of data concerning vulnerable data subjects;
innovative technological or organisational solutions;
processing that involves preventing data subjects from exercising a right or using a service or contract.
We always carry out a DPIA if we plan to:
use systematic and extensive profiling or automated decision-making to make significant decisions about people;
process special-category data or criminal-offence data on a large scale;
systematically monitor a publicly accessible place on a large scale;
use innovative technology in combination with any of the criteria in the European guidelines;
use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;
carry out profiling on a large scale;
process biometric or genetic data in combination with any of the criteria in the European guidelines;
combine, compare or match data from multiple sources;
process personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the European guidelines;
process personal data in a way that involves tracking individuals’ online or offline location or behaviour, in combination with any of the criteria in the European guidelines;
process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them;
process personal data that could result in a risk of physical harm in the event of a security breach.
We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing
If we decide not to carry out a DPIA, we document our reasons
DPIA process checklist
We describe the nature, scope, context and purposes of the processing
We ask our data processors to help us understand and document their processing activities and identify any associated risks
We consider how best to consult individuals (or their representatives) and other relevant stakeholders
We ask for the advice of our data protection officer
We check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure compliance with data protection principles
We do an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests
We identify measures we can put in place to eliminate or reduce high risks
We record our decision-making in the outcome of the DPIA, including any difference of opinion with our DPO or individuals consulted
We implement the measures we identified, and integrate them into our project plan
We consult the ICO before processing, if we cannot mitigate high risks
We keep our DPIAs under review and revisit them when necessary
This checklist will help ensure you have written a good DPIA. We have:
confirmed whether the DPIA is a review of pre-GDPR processing or covers intended processing, including timelines in either case;
explained why we needed a DPIA, detailing the types of intended processing that made it a requirement;
structured the document clearly, systematically and logically;
written the DPIA in plain English, with a non-specialist audience in mind, explaining any technical terms and acronyms we have used;
set out clearly the relationships between controllers, processors, data subjects and systems, using both text and data-flow diagrams where appropriate;
ensured that the specifics of any flows of personal data between people, systems, organisations and countries have been clearly explained and presented;
explicitly stated how we are complying with each of the Data Protection Principles under GDPR and clearly explained our lawful basis for processing (and special category conditions if relevant);
explained how we plan to support the relevant information rights of our data subjects;
identified all relevant risks to individuals’ rights and freedoms, assessed their likelihood and severity, and detailed all relevant mitigations;
explained sufficiently how any proposed mitigation reduces the identified risk in question;
evidenced our consideration of any less risky alternatives to achieving the same purposes of the processing, and why we didn’t choose them;
given details of stakeholder consultation (e.g. data subjects, representative bodies) and included summaries of findings;
recorded the advice and recommendations of our DPO (where relevant) and ensured the DPIA is signed off by the appropriate people;
agreed and documented a schedule for reviewing the DPIA regularly or when we change the nature, scope, context or purposes of the processing;
consulted the ICO if there are residual high risks we cannot mitigate.


Maria Arnst CIPM, TÜV
GDPR Consultant
Certified Information Privacy Manager (international IAPP certification) with experience of being a Data Protection Officer for European companies, including those focused on privacy and data security. Certified as DPO by TÜV (Germany's leading and one of the world's leading independent testing and certification services group)
Pavel Lazavenka LLB, GDPR DPP
Associate Consultant DPO LLC
LL.B. and GDPR Data Privacy Professional. Specializes in GDPR Articles 13, 14, and 15 compliance and auditing existing privacy notices and policies


The course is loading, wait a few seconds