Mandatory List for Data Protection Impact Assessments

The Data Protection Commissioner (DPC) has recently published a draft list of data processing activities which will require a Data Protection Impact Assessment (DPIA). This is not an exhaustive list and many other processing activities may require a DPIA. However, this list sets out processing activities which will require a mandatory DPIA.

A DPIA is an assessment which a data controller should conduct, prior to undertaking a type of processing which is likely to result in a high risk to the rights and freedoms of natural persons, particularly when using new technologies. It is dealt with in Article 35 of the GDPR.

The assessment should, amongst other things, weigh up the risks to the rights and freedoms of natural persons and the measures which can be put in place to safeguard those risks.

Below is the draft list of situations where the DPC requires a DPIA to be conducted. This is required where an organisation is intending to:

  1. Use personal data on a large-scale for a purpose(s) other than that for which it was initially collected (pursuant to Article 6(4) of the GDPR)
  2. Profile vulnerable persons, including children, to target marketing or online services at such persons
  3. Use profiling or special category data to determine access to services
  4. Monitor, track, or observe individuals’ location or behaviour
  5. Profile individuals on a large-scale
  6. Process biometric data to identify an individual
  7. Process genetic data
  8. Indirectly source personal data where GDPR transparency requirements are not being met
  9. Combine, link or cross-reference separate datasets, where such linking contributes to profiling or behavioural analysis of individuals
  10. Process personal data based on legislative measures under the Data Protection Act 2018, where suitable and specific measures are required to safeguard the fundamental rights and freedoms of individuals
  11. Further process personal data for archiving purposes in the public interest, scientific or historical research or statistical purposes.

Following a period of public consultation, the draft list will be sent to the European Data Protection Board for approval.

It is important for organisations to be aware of this mandatory list as, in order to be compliant with data protection law, DPIA’s should be conducted before an organisation embarks on a project which involves any of the activities included on the list.

For more information on GDPR compliance for your organisation, please contact Conor Lupton: