When must you carry out a data protection impact assessment (DPIA)?

By Philip Brining

I was preparing some slides for a training event I am delivering next month and thought it might be interesting to share some of the end of training “quiz” questions over the next few weeks more broadly than the group of trainees. As they are true/false, there should be a 50:50 chance of getting them right so here goes…


In accordance with the GDPR, we are required to carry out a Data Protection Impact Assessment for all projects that involve processing personal data and any activities (both internal and external) that affect the processing of personal data and impact the privacy of individuals. True or False?


ESLAF (as I cannot put the answers upside down as in the time-honoured tradition of quiz answers, I will put them backwards!) The GDPR doesn’t say that a DPIA must be carried out for all projects that affect the privacy of individuals although your own internal policy may well take this line, what the GDPR says is that, “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” Article 35 goes on to give circumstances when a DPIA must be carried out and provides for supervisory authorities or the EDPB to define a list of other circumstances when a DPIA is necessary and indeed both the EDPB and the supervisory authorities have been busy helping to further define when a DPIA is necessary.

The WP29 guidance (wp248 rev.01) was updated to contain a table containing 6 examples of processing that would require a DPIA and usefully examples of possible relevant criteria pushing those activities over the DPIA threshold. Included in that list are: the gathering of public social media data for generating profiles, the use of a camera system to monitor driving behaviour on motorways with automatic number plate recognition (ANPR) to single out cars using their license plates, and a company systematically monitoring its employees’ activities including the monitoring of the employees’ work station, internet activity etc.

The Belgian supervisory authority has published a “black list” of 10 distinct processing activities that would require a DPIA such as the use of CCTV with facial recognition used for the purpose of uniquely identifying a person in publicly accessible areas, the re-use for other purposes and disclosure of sensitive data between distinct data controllers, and the systematic and automated collection and recording of a person’s behaviour. In fact, the EDPB has considered 22 submissions by the supervisory authorities of the 28 member states which contain no less than 260 different types of processing!

Ultimately, while these opinions should be taken into account, it is up to each controller and processor to set their own policy and expectations as to when a DPIA must be carried out on processing operations they are undertaking or envisage undertaking, which as a minimum should include the processing activities set out in the relevant jurisdiction’s guidance and local opinions in addition to the context of the processing and any consistency that a pan-jurisdiction organisation may desire. So unfortunately, while technically the answer to question 1 is “false”, when must you carry out a DPIA really does depend on several factors which extend beyond the three conditions and “high risk processing” catch-all set out in Article 35 of the GDPR!

Philip Brining

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021