“Going forward, (Data Protection Impact Assessments) DPIAs should be considered beneficial to both controllers and processors for multiple reasons, including determining which alternative transfer mechanisms might be most viable, as well as establishing supplementary measures,” says Adam C. Schlosser for IAPP, the International Association of Privacy Professionals.

“Also, in light of the recent decision, there

The French Data Protection Authority CNIL has issued guidance on types of data processing for which a Data Protection Impact Assessment (DPIA) is not required under GDPR:

  • HR-related processing, not including profiling, for companies with under 250 employees (e.g: payroll , training, employee timekeeping – without biometrics, evaluations)
  • Processing solely for calculating working time (except

The European Data Protection Supervisor has produced an Accountability Toolkit that provides a detailed framework for conducting Data Protection Impact Assessments (DPIA) which can be useful for controllers and processors subject to GDPR as well.

Some basic principles:

  • Map out your processing against the data protection principles
  • Assess and mitigate risks
  •  Seek prior consultation when

A Data Protection Impact Assessment (DPIA) is a process, required by the EU General Data Protection Regulation (GDPR), to help identify and minimize the data protection risks of a project.

The UK Information Commissioner’s Office (ICO) has published a new guidance on DPIA’s.

Per the guidance you are required you to do a DPIA if