Data Protection Impact Assessments (DPIAs) are required under Section 28 of the NDPA when processing is likely to result in high risk to the rights and freedoms of data subjects.
When is a DPIA Required?
- Large-scale processing of sensitive personal data
- Systematic monitoring of publicly accessible areas
- Automated decision-making with legal or significant effects
- Processing that involves new technologies
- Any processing identified as high-risk by the NDPC
DPIA Workflow
- Draft — Initial creation and scoping
- In Progress — Conducting necessity, risk, and mitigation assessments
- Completed — All assessments finished, outcome determined
- Archived — Historical record
NDPC Consultation
The NDPA requires consultation with the NDPC where a DPIA indicates that processing would result in high risk that cannot be mitigated. Track this with the NDPC Consulted checkbox.