Data Protection Impact Assessment Scheme
If the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons, Article 35(1) of the GDPR requires the data controller to conduct a data protection impact assessment (DPIA) and to document it before starting the intended data processing.
This certification scheme provides a precise specification of the steps to be taken when completing a DPIA, including:
- a systematic description of the envisaged processing operations
- the purposes of the processing
- where applicable, the legitimate interest pursued by the data controller
- an assessment of the necessity and proportionality of the processing operations
- an assessment of the risks to the rights and freedoms of data subjects
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.