Article 35 GDPR: Data Protection Impact Assessment (DPIA)

Article 35 of the GDPR requires the realization of a data Protection Impact Assessment (DPIA) before any treatment likely to cause a high risk for the rights and freedoms of natural persons. The objective: anticipate impacts, limit risks, and document security measures.

Article 35 of the GDPR explained

An AIPD is required in particular in the following cases:

Large-scale processing of sensitive or highly personal data;
Systematic monitoring of publicly accessible areas;
Massive data cross-referencing, profiling, automated scoring...

The AIPD includes:

A description of the processing and its purposes;
An assessment of necessity and proportionality;
A risk assessment for rights and freedoms;
The measures envisaged to limit these risks.

Why is this article important for your GDPR compliance?

The AIPD allows d’anticipate legal, ethical and technical risks, and demonstrate compliance. It is required in many cases and constitutes a pillar of the risk approach GDPR.

How to comply with Article 35 of the GDPR?

Identify treatments that may require DPA;
Use a structured model validated by the CNIL or a recognized method (EBIOS, ISO...);
Involve stakeholders from the treatment design stage;
Document analysis, corrective actions and follow-up.

Examples of application of Article 35 of the GDPR

A town hall sets up a video surveillance system: an AIPD is mandatory;
A bank launches a credit scoring application: the impact analysis is carried out;
An HR platform uses artificial intelligence to sort applications: it documents risks via an AIPD.