Impact analysis

Assess the privacy impact of the processing.

This step will allow you to evaluate in a simple way if your processing must be subject to a data protection impact analysis (DPI or PIA) provided for by Article 35 of the GDPR.

What is a DIA? A process to assess the necessity and proportionality and to manage the risks.

Under what conditions should I conduct a PIA? If the risks to the rights and freedoms of data subjects are high. The EDPS has clarified the scope of this requirement. Specifically, if the processing meets at least two of the following criteria, an AIP will be required:

  • Evaluation/scoring

  • Automatic decision with legal effect

  • Systematic monitoring

  • Sensitive data

  • Large scale

  • Cross-referencing of data

  • Vulnerable persons

  • Innovative use

  • Transfer outside the EU

  • Blocking a right/contract

The criterion of transfers outside the EU is not part of the list established by the EDPS, but it constitutes a significant risk in view of the safeguards necessary to carry out a transfer.

Sometimes, in case of a processing operation that is particularly sensitive for the data subjects, only one criterion may be retained.

In addition, supervisory authorities publish a list of types of processing for which an AIP is mandatory and may publish a list of types of processing for which an AIP is not mandatory.

The French CNIL has published these two lists (in French)which can be accessed here:

List of types of processing with non-mandatory PIA

List of types of processing with mandatory PIA

Note that Article 30 of the GDPR doesn't require to specify whether an AIP has been performed on the processing.

Last updated