Data Protection Impact Assessment (DPIA) Vocabulary
Practise DPIA structure, high-risk triggers, risk assessment vocabulary, and mitigation communication under GDPR Article 35.
0 / 5 completed
1 / 5
A DPIA (Data Protection Impact Assessment) is required under GDPR when:
GDPR Article 35 mandates a DPIA for specific high-risk scenarios: systematic profiling with legal effects, large-scale processing of special categories of data, and systematic monitoring of publicly accessible areas. Supervisory authorities publish lists of processing types that always/never require a DPIA.
2 / 5
The 'necessity and proportionality assessment' in a DPIA evaluates:
Necessity and proportionality: could the same result be achieved with less data, fewer people having access, shorter retention, or less intrusive means? GDPR data minimisation and purpose limitation principles underpin this assessment.
3 / 5
Residual risk in a DPIA context refers to:
After applying mitigations (encryption, access controls, data minimisation), a residual risk remains. If residual risk is still high and cannot be mitigated further, GDPR Article 36 requires prior consultation with the supervisory authority before proceeding.
4 / 5
A DPIA must be reviewed when:
DPIAs are living documents. Article 35(11) states that controllers shall carry out a review 'to assess if processing is performed in accordance with the DPIA at least when there is a change of the risk.' A significantly changed system is essentially a new processing activity.
5 / 5
The phrase 'we will mitigate this risk by implementing access controls and pseudonymisation' in a DPIA means:
Risk mitigation in DPIAs combines technical measures (pseudonymisation, encryption, anonymisation, minimisation) with organisational measures (access policies, staff training, data retention schedules). Each measure reduces but may not eliminate the identified risk.