How Do You Determine When a DPIA is Required?

Tolulope OgundeleTolulope Ogundele
Written by
Tolulope Ogundele
and
-
October 16, 2024

Loved this article? Share it with your network:

As a privacy or data protection professional, you probably receive countless notifications about new processing activities within your organisation. It falls to you to determine when a Data Protection Impact Assessment (DPIA) is required under Article 35 of the GDPR. But how do you approach this decision-making process in a way that is both efficient and consistent?

While there are several ways to go about it, I aim to provide you with a simple, standardised process and template to help you determine when a DPIA is necessary. This approach will ensure you maintain the adequate documentation required to demonstrate accountability and make it easier to justify whether a DPIA was conducted for a particular activity. If you find that a DPIA is not needed at the time, this process will give you a clear place to start if the need arises in the future.

Let's dive in!

What Is This Process?

The process I refer to can be called a Privacy Threshold Analysis (PTA), a DPIA Preliminary Assessment, or some other variant, depending on your organisation's terminology. The name isn't as important as the function it serves. For this article, we will go with PTA. A PTA is a screening tool that helps you assess whether a DPIA is required based on the nature of the processing activity, the risks involved, and the types of data being processed.

You may be familiar with the term Privacy Threshold Analysis from the US, where it is used to determine whether a full Privacy Impact Assessment (PIA) or System of Records Notice (SORN) is required. Although the term has American roots, the concept of using an initial screening step before deciding on the necessity of a full assessment fits neatly into GDPR practices as well. Adopting this approach can streamline your DPIA decision-making process while ensuring you meet regulatory expectations under the GDPR.

Why Use a Privacy Threshold Analysis?

Incorporating a PTA into your DPIA process has several advantages. First, it enables you to standardise your privacy risk assessment approach across different processing activities.

Additionally, it provides a clear audit trail which shows that you have thoroughly considered the risks before determining whether a full DPIA is necessary or not.

Moreover, a PTA minimises the need for a full DPIA for every processing activity. You can channel your attention and resources towards processing activities that present high risks to individuals' rights and freedoms.

Finally, a well-documented PTA process ensures consistency in decision-making. It makes it easier to explain your rationale to colleagues, stakeholders, or regulators if needed.

How To Use the Template?

In practice, conducting a PTA involves answering a series of key questions about the processing activity. For example, does the activity involve personal data? Is it large-scale processing? Does it include special categories of data, such as health or biometric information? Are vulnerable individuals involved? Answering these questions will help to determine the risk associated with the activity and let you quickly assess whether a DPIA is necessary.

The scoring system used to determine if a DPIA is required is straightforward. Each question is assigned a specific score, and the total score derived from the responses dictates whether a DPIA is necessary or not. For instance, a 'yes' answer to a question about large-scale processing might contribute 10 points to the overall score, while a 'no' answer could add 0 points.

Conclusion

Whether you refer to it as a Privacy Threshold Analysis or a DPIA Preliminary Assessment, determining whether a DPIA is necessary can be a straightforward and consistent process. With the use of a PTA, you can streamline your privacy risk assessment process across all processing activities, demonstrate accountability, and maintain proper documentation.

Privacy Threshold Analysis Template

The Privacy Threshold Analysis (PTA) is a tool to determine whether a Privacy/Data Protection Impact Assessment is required for a new project or an existing project that changes the way personal data is handled. 

Kindly answer the following questions with as much details as possible.

Download the Template as a PDF.

Download the Template as a WORD Doc.

Join our in-house legal & privacy community

Join one of the fastest growing legal communities in Europe. Learn, share, connect and meet inspiring legal professionals, leaders and experts all for free.
Openli community
Apply to join

Read more articles from community contributors:

Openli community

Privacy Around the World: Privacy Landscape in Bulgaria

As an internal DPO for a media company, Tsvetelina shares insights on Bulgaria's data privacy laws for privacy professionals unfamiliar with the landscape.
Read more

Privacy Newsletter

Sign up for a regular dose of news and updates from the legal landscape.

Latest community posts

Get the latest updates about legal and privacy from experts in the field.

Cover image
Oct 16, 2024

How Do You Determine When a DPIA is Required?

Discover a game-changing approach with Privacy Threshold Analysis to effortlessly determine when a Data Protection Impact Assessment is essential.

Author imageAuthor image
Tolulope Ogundele
and
Cover image
Oct 14, 2024

Privacy Around the World: Privacy Landscape in Bulgaria

As an internal DPO for a media company, Tsvetelina shares insights on Bulgaria's data privacy laws for privacy professionals unfamiliar with the landscape.

Author imageAuthor image
Tsvetelina Petrova
and
Cover image
Oct 13, 2024

How do you balance AI compliance with prioritising business growth?

AI is reshaping industries, and offering growth, but navigating its complex regulations is crucial for compliance & strategy. Learn how from Corinne.

Author imageAuthor image
Corinne Hedlund Nytén
and
See all community posts