A DPIA is an analysis that identifies the processes used to process data and then determines the data breach risks.
Which companies should carry out a DPIA?
Under GDPR, a written risk analysis – the first stage of a DPIA – should be carried out regularly by every company. A full DPIA, on the other hand, is required where, as stipulated in Article 35 of GDPR, a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
PhD Dorota Echaust-Przybytniak
Based on the guidelines of supervisory authorities, it can be concluded that DPIA must be carried out by entities processing sensitive data, such as:
- health data;
- data that monitor human behaviour (e.g. video surveillance, but also automated assessment of creditworthiness and ability to pay by financial institutions).
Our experts have been working for both of these sectors for years. Our industry experience and expertise in GDPR and IT make it possible for us to carry out a detailed and complete DPIA.
