What is a Data Protection Impact Assessment (DPiA)?


The GDPR Regulation abolished the requirement for data controllers to register personal data with GIODO and replaced it with the obligation to perform a data protection impact assessment. Does an impact assessment for the protection of personal data have to be prepared by each entrepreneur?

What is a personal data protection impact assessment?

Personal data protection impact assessment (also known as DPiA or regulatory impact assessment) is an assessment by the data controller of whether personal data processing operations in the company involve a risk or high risk of violation of the rights of data subjects (e.g. violation of the right to privacy) ).

If there is a high risk of information security breaches for the personal data processed in the company, then a DPiA should be carried out, i.e. identify threats that may breach personal data and apply appropriate preventive measures that will prevent or minimize the risk of data breach.

Breach of personal data protection means a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.

Failure to comply with the data protection impact assessment requirements could be punishable by a fine. On the other hand, failure to conduct a DPiA when it is required (due to the high risk of breach of the security of personal data processing) may result in a penalty of up to EUR 10 million or, in the case of an enterprise, up to 2% of the total annual turnover, depending on which amount is higher.

Who needs to carry out a data protection impact assessment?

An impact assessment is required in particular for:

  • systematic, comprehensive, automated assessment of personal factors, on the basis of which decisions are made that have legal effects on a natural person,

  • large-scale processing of sensitive personal data,

  • systematic large-scale monitoring of places accessible to the public.

To check whether a DPIA is required, it is recommended to verify that the processing meets the following criteria:

  • assessment and scoring - profiling and forecasting, in particular regarding such data as: health, interests, location,

  • automated decision making with legal effects, e.g. profiling customers in terms of their purchasing preferences,

  • systematic monitoring, aimed at observing the subject of personal data (e.g. in a hotel, at a gas station, in a restaurant, etc.),

  • processing of sensitive personal data, e.g. collecting medical records,

  • large-scale data processing,

  • using technological innovations for data processing, e.g. biometrics,

  • data transfer outside the European Union.

If the controller or the company is faced with one or more of the above situations, then the DPiA is required.


It is the data controller (e.g. an entrepreneur) who independently decides whether a data protection impact assessment is necessary.

What should a data protection impact assessment contain?

The personal data protection impact assessment is similar in content to the basic risk assessment, which we will read in the article: Risk assessment in the GDPR - is it really that terrible? A data protection impact assessment should include, in particular:

  • description of the processing of personal data (e.g. destruction, collection, etc.) and the purpose of their processing,

  • an assessment of the necessity of processing a given type of data and an indication of whether a given risky activity can be avoided and, if not, an indication of what preventive measures have been taken,

  • assessment of the risk of violating the rights and freedoms of personal data subjects,

  • measures planned to prevent the risk and demonstrate compliance of the processing of personal data.

A DPIA may have more elements than the above data, but they are mandatory for DPiA.

When and how to carry out a DPiA data protection impact assessment?

DPiA should be performed prior to the commencement of processing operations (i.e. already in the process of data processing planning). A data protection impact assessment (DPiA) can be done by any method. The GDPR only indicates the essential elements it should contain (which were listed in the previous heading).

The assessment should be designed in such a way that, in the event of an audit, it can be presented to the supervisory authority in line with the principle of accountability.


The Administrator is obliged to carry out a data protection impact assessment, together with the Data Protection Officer - if appointed.

The data protection impact assessment can be entrusted to an external company, but the controller is responsible for it.

As for the processing operations that already existed before the GDPR came into force, then

preparation of a DPiA is required if

  • processing operations may result in a high risk of security breach,

  • there is a change in the type of risk.

However, it should be good practice to constantly review and update the DPIA. Therefore, even if a DPiA is not required on May 25, 2018, the data controller will still need to carry out such an accountability assessment in due course.

Sample sheet for DPiA - risk

Risk assessment is most often performed on the basis of criteria established by the company, it may be, for example, assessing in terms of frequency or probability of occurrence of a given risk as well as its essence and severity.

When is it not necessary to carry out a DPIA?

A DPIA is not mandatory when:

  • it is unlikely that the processing operation could result in a high risk of violating the rights and freedoms of natural persons,

  • the nature, scope and purpose of the processing are similar to processing for which an impact assessment has already been carried out,

  • the processing operation has a legal basis - i.e. when a given type of processing is regulated by legal acts (law, regulation),

  • the processing operation is included in the optional list of "processing operations not subject to an impact assessment" established by the President of the Personal Data Protection Office,

  • when the processing operations have been checked by the supervisory authority before May 2018 under specific conditions and have not changed.

Start a free 30-day trial period with no strings attached!

The role of the Personal Data Protection Officer (DPO) in DPiA

If the company has appointed a DPO, then the obligation to conduct DPiA should be consulted with him and the impact assessment carried out together with him.

The guidelines of the Working Party of Art. 29 relating to the data protection officer recommends the controller and the processor to seek the advice of the inspector, inter alia, on the following issues:

  • whether a data protection impact assessment should be carried out,

  • which methodology should be used when carrying out a data protection impact assessment,

  • whether an in-house DPIA should be carried out or be outsourced,

  • what safeguards (including technical and organizational measures) are applied to mitigate any threats to the rights and interests of data subjects,

  • whether the DPIA has been properly carried out and whether its results comply with data protection requirements (whether or not to continue processing and what safeguards to apply).

Prior consultations with the President of the Personal Data Protection Office

If DPiA shows that there is a high risk (e.g. unlawful access to data leading to life-threatening) personal data breach, when the controller:

  • would not apply risk minimization measures or

  • cannot sufficiently mitigate the risk in question, or

  • despite measures in place, the risks remain high

- before starting the processing operation, the controller should report to the President of the Personal Data Protection Office (PUODO). As a result of consultations, PUODO may issue recommendations and guidelines on what measures the administrator should implement to protect personal data.

Working Group 29 guidelines on DPiA

Working Group 29 is a team of independent experts appointed under EU law to issue recommendations on the implementation of the GDPR. Poland is represented in the working group by the Inspector General for Personal Data Protection.

The main task of the Working Group 29 is to contribute to the uniform application of the GDPR regulation by all EU countries and to issue guidelines on the application of the provisions on the protection of personal data.

One of the WP29 documents concerns the Regulatory Impact Assessment “Guidelines for a Data Protection Impact Assessment and Helping to Determine Whether Processing“ May Be of High Risk ”for the purposes of Regulation 2016/679”.

In the "Guidelines", the Group suggests which criteria should be taken into account when preparing a personal data protection impact assessment. In addition, this document contains information on, for example:

  • what does DPiA concern,

  • which data processing operations are subject to DPiA,

  • how to carry out a personal data protection impact assessment,

  • when to consult the supervisory authority

  • guidelines regarding the Personal Data Protection Inspector.

Criteria for a data protection impact assessment to be GDPR compliant

Working Party 29 proposed the following criteria in order to be able to verify that a DPIA is carried out in line with the GDPR requirements. According to the guidelines, DPiA complies with the GDPR if:

  • a systematic description of the processing operation is provided:

    • the nature, scope, context and purposes of the processing have been taken into account,

    • the register contains personal data, information about recipients and the period of storage of personal data,

    • resources with which personal data come into contact (hardware, software, networks, people, studies or transmission channels of studies) have been identified;

  • the necessity and proportionality of data processing were assessed:

    • the measures planned to be taken to ensure compliance with the regulation are indicated,

    • measures are indicated that contribute to the preservation of the rights of data subjects:

      • informing the data subject,

      • the right to access and the right to transfer data,

      • the right to rectify and delete data,

      • the right to object and the right to limit processing,

      • relationship with the processor,

      • safeguards for international data transfers;

  • activities were carried out in the management of the risk of violation of the rights and freedoms of data subjects:

    • the source, nature, specificity and severity of the risk have been taken into account,

    • risk sources have been taken into account,

    • the possible consequences of the risk have been identified,

    • threats to the security of personal data have been identified

    • the probability and severity of the risk were estimated,

    • measures planned to be taken to address the risk are identified.