Impact analysis
Assess the privacy impact of the processing.
This step will allow you to evaluate in a simple way if your processing must be subject to a data protection impact analysis (DPI or PIA) provided for by Article 35 of the GDPR.
What is a DIA? A process to assess the necessity and proportionality and to manage the risks.
Under what conditions should I conduct a PIA? If the risks to the rights and freedoms of data subjects are high. The EDPS has clarified the scope of this requirement. Specifically, if the processing meets at least two of the following criteria, an AIP will be required:
Evaluation/scoring
Automatic decision with legal effect
Systematic monitoring
Sensitive data
Large scale
Cross-referencing of data
Vulnerable persons
Innovative use
Transfer outside the EU
Blocking a right/contract
The criterion of transfers outside the EU is not part of the list established by the EDPS, but it constitutes a significant risk in view of the safeguards necessary to carry out a transfer.
Sometimes, in case of a processing operation that is particularly sensitive for the data subjects, only one criterion may be retained.
In addition, supervisory authorities publish a list of types of processing for which an AIP is mandatory and may publish a list of types of processing for which an AIP is not mandatory.
The French CNIL has published these two lists (in French)which can be accessed here:
List of types of processing with non-mandatory PIA
List of types of processing with mandatory PIA
Note that Article 30 of the GDPR doesn't require to specify whether an AIP has been performed on the processing.
Dernière mise à jour