GDPR – Six key stages of the Data Protection Impact Assessment (DPIA)


Six key stages of the DPIA

DPIAs are scalable in length and scope, depending on the privacy risks and impact of the processing operation.

The key stages of the DPIA are:

1. Identify the need for the DPIA

Determine whether the inherent risks of the processing operation require you to undertake a DPIA.

2. Describe the information flow

Be able to describe how the information within the processing operation is collected, stored, used and deleted.

3. Identify privacy and related risks

Catalogue the range of threats, and their related vulnerabilities, to the rights and freedoms of individuals whose data you collect and/or process.

4. Identify and evaluate privacy solutions

For each identified risk to the personal data, make a ‘risk decision’, i.e. whether to accept or reject the risk, whether to transfer it or take steps to reduce the impact or likelihood of the threat successfully exploiting the vulnerability.

5. Sign off and record the DPIA outcomes

Record the outcomes of the DPIA (steps 1-4) in a report that is signed off by whoever is responsible for those decisions. Where a high risk has been identified, the organisation must submit the DPIA to the regulatory authority for consultation.

6. Integrate the DPIA outcomes into the project plan

You will need to continually refer to the DPIA in order to ensure that it is being followed and that its responses to the risks have been implemented effectively.


Written by Ralf Helkenberg

To find out more about DPIA’s, please click here to read our DPIA Q&A