GDPR Legal Requirements that Demand a DPIA be Performed In accordance with Article 35(3), a data protection impact assessment is to be required in the case of: (a). Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b). Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10; or (c). A systematic monitoring of a publicly accessible area on a large scale. Proven 7 Step Methodology for an Efficient and Comprehensive DPIA Report In line with industry best practices regarding the GDPR, organization seeking to perform a DPIA should follow the well-known seven (7) step DPIA process for ensuring complete coverage of all required subject matter from beginning to end: Step 1: Pre-Assessment Determination. Step 2: Description of “Processing” of Data. Step 3: Consultation with Individuals. Step 4: Assessing Necessity and Proportionality. Step 5: Risk Identification and Assessment. Step 6: Risk Reduction and Mitigation. Step 7: Issuance of DPIA Report. Step 1: Pre-Assessment Determination As an organization, you first need to determine if a DPIA is even necessary, based primarily on the requirements put forth in the GDPR. As such, your first step is to do a pre-assessment determination in examining GDPR subject matter to make a final decision if in fact a DPIA is ultimately necessary. Step 2: Description of “Processing” of Data If a DPIA is needed, then it’s on to understanding the many measures regarding “processing” – specifically, the “nature, scope, context and purposes of the processing”. This in turn requires conducting numerous activities. Step 3: Consultation with Individuals Per ico.org.uk, “If the DPIA covers the processing of personal data of existing contacts (for example, existing customers or employees), you should design a consultation process to seek the views of those particular individuals, or their representatives.” Additionally, per ico.org.uk, … “If the DPIA covers a plan to collect the personal data of individuals you have not yet identified, you may need to carry out a more general public-consultation process, or targeted research.” Step 4: Assessing Necessity and Proportionality Per Article 29 of the GDPR, organizations are to include how they ensure data protection compliance, which is a good measure of necessity and proportionality. Step 5: Risk Identification and Assessment It’s also critical when performing a DPIA to conduct an assessment of risks relevant to the organization’s processing activities. Specifically, organizations should assess, define, and document all relevant risks that could impact the organization’s processing activities. Step 6: Risk Reduction and Mitigation All organizations will have identified relevant risks that will need to be mitigated to the fullest extent possible. With a properly performed risk assessment, you can then assess which options to best reduce risk. Every organization is different, and as such, measures to reduce risks will be different also. Step 7: Issuance of DPIA Report The conclusion of a DPIA should be a final, formal report documenting the following: (1). Additional measures you plan to undertake. (2). Whether each risk has been eliminated, reduced, or accepted. (3). The overall level of ‘residual risk’ after taking additional measures. Whatever the findings are, it’s important to then implement them into your existing control environment.