How to conduct a Data Protection Impact Assessment (template included)
A Data Protection Impact Assessment (DPIA) is required under the GDPR any time you begin a new project that is likely to involve “a high risk” to other people’s personal information. This article explains how to conduct a DPIA and includes a template to help you execute the assessment.
The EU’s General Data Protection Regulation (GDPR) includes dozens of new rules (and many old ones) that organizations must follow in order to protect the personal information they collect about their clients or people who visit their websites. Organizations that fail to comply with the GDPR are risking severe penalties, including fines of up to $20 million or 4 percent of annual revenue, whichever is higher.
We cover many of the GDPR requirements in other articles on this website. For a general overview and many helpful links, check out our “What is the GDPR?” page or visit our GDPR checklist. Also, there’s a common misconception that businesses with fewer than 250 employees are exempt from the GDPR. That’s not true. (See who must comply with the GDPR.)
One of the most important ways to demonstrate to authorities that your organization complies with the GDPR is to prepare a DPIA for each of your high-risk data processing activities.
Below, we’ll explain how to determine when you need to conduct a DPIA, followed by how to conduct a Data Protection Impact Assessment.