There is no standard way to perform a DPIA. However, Article 35.7 GDPR calls for specific elements that shall always be present. These are:
- a systematic description of the envisage processing operations;
- the purposes of the processing operations;
- an assessment of the necessity of the processing operations in relation to the purposes;
- an assessment of the proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects;
- the technical and organizational measures envisaged to address the risks.
The researchers can include further elementsto better describe the processing and the underlying risks. Also, if the data controller realizes, after having performed a DPIA, that the risks for the rights and freedoms of the data subject are not adequately mitigated by the measures envisaged to address such risks, the data controller shall seek prior consultation with the supervisory authority following the provision of Article 36 GDPR.
The law does not sanction a format for the DPIA. This can be freely chosen by the data controller. Some data protection authorities, however, have created templates data controllers can adopt[1] (see also on this: “DPIA” subsection in the Main Actions and Tools section of the General Part of these Guidelines)
The DPIA is not a point-in-time activity, but a continuous process. Thus, it might be necessary to perform multiple assessments over time, for instance when contextual elements change or when new information becomes available.
The results of DPIAs shall be recorded and stored as part of the data protection documentation.
References
1See for instance, Commision Nationale Informatique & Libertés, ‘Privacy Impact Assessment (PIA). Templates’, February 2018. ↑