Guidelines on DPIA

18 October 2017

The latest publications on DPIAs: the WP29 Guidelines and an infography.

Article 35 of the GDPR provides for the conduct of a Data Protection Impact Assessment (DPIA), where the processing is likely to result in a high risk to the rights and freedoms of the data subjects. This DPIA is supposed to show the characteristics of the treatment, the risks and the measures adopted.

In order to explain Article 35 and propose a common interpretation, the European Data Protection Authorities (the WP29) have created "Guidelines on DPIAs and high-risk processing", the final version of which has just been adopted.

For its part, the CNIL is preparing tools to help professionals defining in which cases a DPIA is compulsory and to accompany them in its implementation.

The new "PIA guides" and a free software will soon be available!

The CNIL also plans to publish a framework for conducting DPIAs on connected objects and a case study by the end of the year.

Finally, to complete these tools, the next work will focus on the creation of two lists:

  • processings that require a DPIA;
  • processings that do not need to be subject to a DPIA.

 

An infography outlines the main principles :