Data Protection Impact Assessments (DPIA)

Forvis Mazars DPIA methodology has been developed using years of experience, ensuring that risks are identified and mitigated in line with business needs while keeping a focus on individuals.

A DPIA is a risk assessment required in certain instances where processing presents is a high risk to the rights of the individual:

  • a systematic and extensive evaluation of personal aspects relating to natural persons which are based on automated processing, including profiling, and on which decisions are based that produces legal effects concerning the natural person or similarly significantly affect the natural person.       
  • processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.
  • systematic monitoring of a publicly accessible area on a large scale.

If you are unsure whether a DPIA is required, we can help using our expertly developed assessment tool.

DPIAs are vital documents required to ensure compliance but can also be used to demonstrate transparency.

Several different skills and expertise are required to ensure that a DPIA is properly carried out in accordance with official guidelines. Included is the requirement that the DPIA is accessible to data subjects, i.e. they can read it and understand the data processing operation and associated risks. Combining technical, legal, risk and compliance skills with strong communication is challenging. For this reason, amongst others, many organisations chose to get external advice from the team in Forvis Mazars for their DPIAs. 

Additional reasons to seek assistance from Forvis Mazars include:

  • Our Privacy team members are experts in applying our best practice methodology. The team also has the most up-to-date knowledge of European privacy issues and judgements.
  • The high-risk nature of the processing undertaken can come under significant public scrutiny. A DPIA conducted by an external party can be deemed more credible to the impacted data subjects and increase the confidence the impacted subjects have in the privacy solutions.
  • DPIAs are not required in many instances, it is unlikely that many organisations will be in a position the conduct DPIAs routinely.