The DPIA has two main purposes[1]:
- building compliance and
- demonstrating compliance.
1. The former refers to an internal process that accompanies the design and operations of a processing activity. By reaching compliance with the requirements of the GDPR, risks posed by the processing activities on data subjects are identified and mitigated. The process of conducting a DPIA installs data protection as a guiding principle that informs decisions[2] in a way to minimize the data protection risks and impact of processing for the affected persons. This affects in particular decisions about the purposes and means of the processing. It makes sure that data protection requirements are taken into account throughout all life cycle phases of the activity and not just as an “afterthought” when all decisions have already been made. In other words, it avoids that personal data can be processed without having identified its risks and impact and without implementing suitable safeguards and mitigation measures.
2. The latter refers to the DPIA report as a tool of accountability[3] that is used to demonstrate that a given processing activity complies with the GDPR.
References
1wp248rev.01, page 4, Section I, 2nd paragraph: “In other words, a DPIA is a process for building and demonstrating compliance.” ↑
2wp248rev.01, page 14, Section III.D.a), 1st paragraph: “The DPIA should be seen as a tool for helping decision-making concerning the processing.” ↑
3wp248rev.01, page 4, Section I, 2nd paragraph: “DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation (see also article 24). [Highlighting added by the authors]. ↑