Data Protection General Regulation Impact Assessment

Updated: Jan 5

What is it and when do you need it


This article aims to look at the Data Protection Impact Assessment that is mandated as part of GDPR. It is meant to show through examples the complexity of such data protection laws and how operationalization of data governance is key, as is having a framework to tie all data management policies, standards, and regulations.

Identifying risks early can help you earn your customers' trust and ensure compliance with the Data Protection General Regulation (or GDPR) requirements.


In this article, we will review

  1. "Data Protection Impact Assessment" (DPIA) under GDPR and;

  2. How to implement it.


What Is The "Risk-Based Approach" Under GDPR?


Each personal data has a different sensitivity level, and each data processing activity creates varying degrees of risk for individuals.

Unauthorized disclosure of sensitive medical records and accidental erasure of encrypted home addresses does not create the same level of data privacy risks.

To strike a fair balance between data subjects' rights and obligations, Data Protection General Regulation (GDPR) adopts a risk-based approach: Depending on the risk, data controllers are subject to different compliance obligations.

GDPR article 35 is the perfect example of this approach: Depending on the degree of risk to data subjects' rights and freedoms, data controllers may have to conduct an impact assessment before processing data.