Skip to content

GDPR Step 06: Data Protection Assessments

Under Article 35 (opens in a new tab) of GDPR, businesses must perform data protection impact assessments (DPIAs) before processing personal data. DPIAs weigh the business benefits of processing users' data with the potential risks on consumers. Going through these assessments will help your business identify any unaddressed risks of processing consumers' data. 

The enforcement authority in each EU member state has a list of all of the processing activities that are required in a DPIA. Generally, DPIAs should contain at least:

  • A description of the processing activities, including the purpose and identifying the legitimate business interest from the controller;
  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • An assessment of the risks to the rights and freedoms of data subjects;
  • The measures taken to mitigate risks, such as safeguards and security measures.

To make sure your DPIAs properly demonstrate compliance, work with your DPO or GDPR representative to include all of the necessary information listed above.