Data Privacy Impact Assessment (DPIA) reference

  • Updated

Step 1: Document the why

In step one you will document the necessity to do a DPIA. You will describe what type of processing you are assessing and what goals it is designed to achieve, and you should consider how likely the processing is to pose a high level of risk to the privacy rights of individuals.


Step 2: Document the how

The four sections of step two walk you through detailing the processing being assessed in the DPIA. They cover questions about how you will collect, store, and use the personal data; who will have access to it, including third-parties it will be shared with; what sort of personal data will be collected from how many data subjects; how long it will be retained; and the purpose for collecting this information. These questions allow you to understand the full scope of the processing being proposed.


Step 3: Document the who

Step three walks you through the process of consulting stakeholders. These include the data subjects from whom the personal information is collected, stakeholders internal to your organization, and data processors with whom the information is shared. This allows you to understand and document the views of all involved individuals and groups and any justifications for deviating from those views.

Step 4: Document the Need

In step four you should consider the necessity of the processing you plan to do and whether it is in line with the expected benefits. You should also contemplate how you plan to ensure that your processing meets privacy regulations including what lawful basis you have for the processing.


Step 5: Document the Risks

In step five you will identify specific risks that the processing might pose. For each risk you will consider whether the likelihood of harm is remote, possible, or probable, and whether the severity of the impact is minimal, significant, or severe. All issues of remote likelihood or minimal impact are considered low risk. Issues of significant impact and possible likelihood are considered moderate risk, and issues of severe harm and possible or probable likelihood or of serious harm and probable likelihood are high risk.

Step 6: Document the Risk Impact

In step six you will evaluate the moderate and high-risk impacts to understand how they might be mitigated or eliminated. 


Record what actions you will take, how they will impact the risk (e.g., whether the risk will be mitigated, eliminated, or accepted) and whether these measures have been approved by the DPO or other appropriate stakeholders.


Step 7: Gather the Approvals

Finally step seven documents the sign offs and approvals of the DPIA.