Data protection impact assessment

Data Protection Impact Assessments (DPIA) help organizations identify and manage risks to people's personal data. Data controllers need to carry out a DPIA before any processing likely to result in a high risk to the rights and freedoms of individuals. If such risks cannot be mitigated by appropriate measures, the controller needs to consult the Data Protection Authority (DPA) before proceeding. The EDPB provides guidance on DPIAs. DPAs also adopt lists of the kind of processing activities for which a DPIA is or is not required, which are subject to opinions of the Board.