Logo Inveo Academy

Select your language

The GDPR requires the Data Controller to implement "appropriate measures" to GUARANTEE and be able to DEMONSTRATE compliance with the regulation.

DPIA is a process intended to:

  1. Describe the treatment
  2. Assess its necessity and proportionality
  3. Helping to manage risks to the rights and freedoms of individuals

In line with the risk-based approach, it is not mandatory to conduct a DPIA for every processing, but it is necessary to conduct it when a processing: "may present a high risk to the rights and freedoms of natural persons."

The obligation for data controllers to carry out a DPIA should be read in the context of their general obligations to adequately manage the risks presented by the processing of personal data.

A DPIA is also useful for assessing the impact of a technology product (hardware and software) when the same is used by separate owners; of course, the owner using said product remains subject to the obligation to carry out its own DPIA, in relation to the specific implementation.

  • When is a risk high?
  • What unit of measurement do we use to define "high risk"?

FIRST: Check the obligation of drafting in case the processing falls into the case studies in the case studies defined in Annex 1 to Order No. 467 of 11/10/2018 of the Privacy Guarantor "List of types of processing subject to the requirement of a data protection impact assessment pursuant to Article 35(4) of Regulation (EU) No. 2016/679."

SECOND: Make the assessment of risks related to the processing of personal data that may result from Unauthorized Disclosure/Access, Modification and Loss/Destruction. Having assessed the inherent risk (Ri) i.e. without the adoption of measures of appropriate to the risk and applying them I obtain the residual risk (Rr) which if higher than the acceptable risk (Ra) established by the organization, as a value known and tolerated by the company, and therefore High Risk that I cannot mitigate, triggers my DPIA obligation.

DPIA measures risks related to the rights and freedoms of stakeholders by always performing a risk assessment but defined by a Probability and Severity calculation defined by a matrix quite different from that of VR.