Skip main navigation

£199.99 £139.99 for one year of Unlimited learning. Offer ends on 28 February 2023 at 23:59 (UTC). T&Cs apply

Find out more

Data protection impact assessment and prior consultation

Conducting a data protection impact assessment and prior consultation under the GDPR. Dr Bo Zhao discusses the topic.
Danger sign
© University of Groningen

A Data Protection Impact Assessments (DPIA) is a tool to determine in advance the privacy risks involved in data processing. Article 35 and Article 36 impose the obligation to conduct a DPIA and to have prior consultation in certain cases.

Data Protection Impact Assessment (DPIA)

If there is a chance that a new type of processing (especially when using new technologies) may cause a high risk to the rights and freedoms of natural persons, the data controller needs to carry out a DPIA. This is especially the case with respect to:

  • Automated decisions, including profiling;
  • Special categories of data (Article 9) and data relating criminal convictions and offences (Article 10);
  • Systematic monitoring of public spaces on a large scale.

Organisations don’t have to carry out DPIAs for all processing operations separately, one DPIA can address a set of similar processing operations that have a similar high risk. When carrying out a DPIA, the controller has to seek advice from the data protection officer (if there is one) and views from data subjects or their representatives (if appropriate).

The DPIA should contain at least:

  • A systematic description of the processing operations, purposes and the legitimate interest;
  • An evaluation of the necessity and proportionality of the processing operations in relation to the purposes;
  • An evaluation of the risks to the rights and freedoms of data subjects;
  • Possible measures to address risks and to demonstrate compliance.

A controller is exempted from carrying out a DPIA if:

  • processing is necessary for compliance with a legal obligation to which the controller is subject;

  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

If this processing has a legal basis (in EU or Member State law), that law regulates the specific processing operation or if the DPIA has already been carried out as part of general impact assessment. This means that, if a law (EU or national) requires processing and there has been a DPIA with the entry into force of that law, a DPIA is not required, unless the supervisory authority determines otherwise.

Prior consultation

A controller has a legal obligation to consult with the supervisory authority before processing if a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk. Based on this consultation, the supervisory authority provides the controller with written advice.

For prior consultation, the controller needs to provide the following information:

  • The respective responsibilities of the controller, joint-controller, and processor;
  • The purposes and means of data processing;
  • Measures and safeguards taken to protect data subjects’ rights and freedoms;
  • The contact details of data protection office (if applicable);
  • The DPIA;
  • Any other information requested by the supervisory authority.

If you want to know more about DPIAs you can read the guidelines drafted by the Article 29 Data Protection Working Party which you can find below under downloads.

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education