Data Protection Impact Assessment

What Is Data Protection Impact Assessment?

A Data Protection Impact Assessment (DPIA) is a structured risk analysis required by GDPR Article 35 before any processing operation that is 'likely to result in a high risk' to the rights and freedoms of individuals. DPIAs are mandatory for systematic profiling with significant effects, large-scale processing of special category data, and systematic monitoring of publicly accessible areas. The regulation does not treat DPIAs as a box-ticking exercise. Supervisory authorities review them during audits and investigations, and an inadequate DPIA can lead to enforcement action on its own. This exercise gives you a processing activity that triggers multiple DPIA criteria, and you must work through the assessment from start to finish. You begin by describing the processing operations and their purposes, then assess necessity and proportionality. The core of the exercise is systematic risk identification: mapping out what could go wrong for data subjects and evaluating likelihood and severity using a structured methodology. You will consider risks like unauthorized access, discriminatory profiling, function creep beyond the original purpose, and data accuracy failures. For each identified risk, you document mitigation measures and residual risk levels. The exercise also covers the requirement to consult with your Data Protection Officer and, in cases where high risk remains after mitigation, the obligation to consult the supervisory authority under Article 36 before proceeding. You will produce a DPIA document that meets the minimum content requirements specified in Article 35(7) and could withstand regulatory review.

What You'll Learn in Data Protection Impact Assessment

• Determine when a DPIA is legally required by applying GDPR Article 35 criteria and supervisory authority guidance
• Conduct a systematic risk assessment evaluating likelihood and severity of harm to data subjects
• Document necessity and proportionality analysis for the proposed processing activity
• Specify technical and organizational risk mitigation measures with residual risk evaluation
• Produce a complete DPIA document meeting Article 35(7) requirements including DPO consultation and prior authorization triggers

Data Protection Impact Assessment — Training Steps

1. Introduction

   Under GDPR Article 35, a Data Protection Impact Assessment (DPIA) is mandatory before processing that is 'likely to result in a high risk' to individuals' rights and freedoms. This includes automated decision-making, large-scale processing of special category data, and systematic monitoring.

2. DPIA Request

   You receive an email from the Chief Technology Officer informing you that the new AI Health Analytics platform is entering final development. Before it can launch, you must complete a DPIA. The platform triggers DPIA requirements for three reasons: it processes health data (special category under Article 9), uses automated decision-making, and operates at large scale.

3. Accessing the Risk Assessment Tool

   You need to log into the internal portal to access the Risk Assessment tool. This tool guides you through the structured DPIA process required by GDPR.

4. Opening the Risk Assessment Tool

   The Risk Assessment tool provides a structured framework for assessing privacy risks - calculating risk scores based on likelihood and impact, then documenting mitigation measures. The tool displays risk categories on the left and a risk matrix on the right. You will assess each risk category by setting likelihood and impact scores.

5. Understanding the Risk Matrix

   Before assessing individual risks, you need to understand how the risk matrix works. Risk is calculated as: Likelihood x Impact = Risk Score Both likelihood and impact are scored 1-5: Likelihood: How likely is this risk to occur? (1 = Rare, 5 = Almost Certain) Impact: How severe would the consequences be? (1 = Negligible, 5 = Catastrophic) Risk levels: 1-4 Low (green), 5-9 Medium (amber), 10-16 High (orange), 17-25 Critical (red).

6. Assessing Data Breach Risk

   The first risk category is Data Breach Risk. With 2 million patient health records, a data breach would be catastrophic. Consider: The platform processes highly sensitive health data. Healthcare is a prime target for cyberattacks. A breach could expose diagnoses, treatments, and genetic information. Assess this risk with Likelihood: 3 (Possible - healthcare is frequently targeted) and Impact: 5 (Catastrophic - health data breach affecting millions).

7. Setting Data Breach Scores

   Set the risk scores for Data Breach. Why these values? Likelihood: 3 (Possible) - Healthcare is one of the most targeted sectors for cyberattacks. While you have security controls, the threat landscape means breaches are realistically possible, not just theoretical. Impact: 5 (Catastrophic) - A breach of 2 million patient health records would cause severe harm: identity theft, discrimination, psychological distress. Health data is among the most sensitive - you cannot change your medical history like you can change a password. Risk Score: 3 x 5 = 15 (High) - This requires documented mitigation measures.

8. Assessing Consent Management Risk

   The second risk is Consent Management. The platform relies on patient consent to process health data for analytics purposes. Consider: Patients must give explicit consent for health data processing. Consent must be freely given, specific, informed, and unambiguous. Withdrawal must be as easy as giving consent. Assess this risk with Likelihood: 2 (Unlikely with proper systems) and Impact: 4 (Major - processing without valid consent violates GDPR fundamentals).

9. Setting Consent Management Scores

   Set the risk scores for Consent Management. Why these values? Likelihood: 2 (Unlikely) - With a properly designed consent system, invalid consent is unlikely. The platform uses clear consent forms, granular options, and documented withdrawal processes. Impact: 4 (Major) - Processing without valid consent is a fundamental GDPR violation. It could invalidate your entire legal basis and result in enforcement action, but it is not as immediately harmful to individuals as a data breach. Risk Score: 2 x 4 = 8 (Medium) - Manageable with standard controls.

10. Assessing Data Retention Risk

    The third risk is Data Retention. Health analytics requires historical data, but GDPR mandates storage limitation. Consider: How long is data kept? Is there automatic deletion? Are retention periods documented and enforced? Old data increases breach exposure. Assess this risk with Likelihood: 2 (Unlikely with defined policies) and Impact: 3 (Moderate - retaining data too long violates storage limitation but is less severe than a breach).