Authored by: T. Kehonji and J. Nabi

The Data Protection Act (DPA) provides for the carrying out of a Data Protection Impact Assessment (DPIA) as part of data protection procedures. The Office of the Data Protection Commissioner (ODPC) has issued a Guidance Note on Data Protection Impact Assessment to assist the data controllers/processors understand their obligations and appreciate the need to take a DPIA.

Here’s what you need to know:

  1. What is a Data Protection Impact Assessment?

A DPIA is a process designed to identify risks arising out of the processing of personal data and to minimize these risks as far and as early as possible. Although it is not mandatory for all data controllers and data processors to carry out a DPIA, it is a pre-requisite when the processing of personal data is likely to result in a high risk to the rights and freedoms of a subject.

The fact that conditions triggering this mandatory obligation have not been met does not diminish general obligations to implement measures to appropriately manage risks for the rights and freedoms of data subjects; meaning there must be continuous assessment of risks created by processing activities in order to identify likely high-risk situations. In cases where it is not clear whether a DPIA is required, it is recommended that a DPIA is carried out nonetheless.

A DPIA can help identify the least privacy intrusive way of achieving a legitimate aim. Data controllers and processors have a duty to implement data protection principles in an effective manner; integrate necessary safeguards into the processing; and ensure that only personal data necessary for each specific purpose is processed.

  • When is DPIA required?

A DPIA is required when any of the following criteria is met:

  • Automated-decision making with legal or similar significant effect

Processing that aims at taking decisions on data subject with legal or similar effects concerning or affecting the person. This includes profiling and predicting, for example, personal interests.

  • Systematic monitoring

Processing used to observe, monitor or control data subjects. There may be circumstances where data subjects may not be aware of who is collecting their data and how they will be used. It may be impossible for individuals to avoid processing in public or publicly accessible spaces.

  • Sensitive personal data or data relating to a data subject or matters of a private nature

These are data that increase the possible risk to the rights and freedoms of the data subject, such as health status, genetic data, sexual orientation, among others.

  • Data Processed on Large Volumes or Large Scales

In determining whether the processing is on large scale, the Number of data subjects concerned; Range of different data items being processed; Duration of the data processing activity; and the Geographical extent of the processing activity are considered.

  • Matching or Combining Datasets

Personal data from different data processing operations performed for different purposes and/or by different data controllers in a way that would exceed reasonable expectations of the data subject.

  • Data concerning vulnerable data subjects

This would result in a power imbalance between the data subjects and data controller/processor as the subjects may be unable to consent or oppose the processing of their data. Vulnerable subjects include children, employees, the elderly, among others.

  • Innovative use or applying new technological or organizational solutions

New technology, and in turn, new forms of data collection may have unknown personal and social consequences with a possibility of high risk to data subjects’ rights and freedoms and there require a DPIA.

  • Where processing itself prevents Data subjects from exercising a right

This includes processing information aimed at allowing, modifying or refusing data subjects’ access to a service or entry into a contract.

  • When is a Data Protection Impact Assessment not required?

A DPIA is not required in the following instances:

  1. Where the processing is not likely to result in a high risk to the rights and fundamental freedoms of the data subjects;
  2. When the nature, scope, context, purpose and risk of the processing are very similar to the processing for which DPIA have been carried out;
  3. Where processing falls under the exceptions stated in Section 51 (2) of the DPIA

Disclaimer: The information herein is not legal advice and is only intended for information purposes. For any further information on the above or all aspects of data protection kindly reach out to us through

Leave a Comment

Your email address will not be published. Required fields are marked *