Data Protection Impact Assessments (DPIAs) are critical to companies’ successful compliance with the General Data Protection Regulation (GDPR), and to their efforts to establish responsible, effective data governance within their organizations. Article 35 of the GDPR requires companies to conduct a DPIA when processing is likely to raise “high risk” to individuals.

On August 6, we blogged about the advice of the Belgian data protection authority on this aspect of the GDPR. But the Belgian DPA did not issue its recommendations in isolation. The Article 29 Working Party (the “Working Party”) late last year adopted Guidelines on data protection impact assessments and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the “Guidelines”). Companies determining when DPIAs are required will also find helpful advice here.

The Working Party emphasized that DPIAs are an important risk management tool and that even where companies’ data activities do not trigger the DPIA obligation established in the statute, data controllers must still implement appropriate risk management measures. Highlighting the dynamic, continuing nature of data protection work within companies, the Working Party noted that risks associated with their data processing activities should be assessed on an ongoing basis.

The Guidelines also list criteria to consider when determining whether processing activities are likely to expose data subjects to risk that would trigger the DPIA requirement. These include:

  • Evaluation or scoring
  • Automated decision-making with legal or similar significant effect
  • Systematic monitoring
  • Sensitive data or data of a highly personal nature
  • Data processed on a large scale
  • Matching or combining data sets
  • Data concerning vulnerable data subjects
  • Innovative use or applying new technological or organisational solutions
  • When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”

The Working Party strongly emphasized the importance of continuously assessing whether data processing activities trigger the need to conduct a DPIA in light of changes that might affect such activities. These changes could include changes to risks that result from processing activities, or changes in, among others, how processing is conducted that affects their scope, purpose, and the type of personal data collected.

Taken together, the guidance of the Working Party and the Belgian DPA make clear that data protection is not a one-time event. Companies will need periodically not only to evaluate their GDPR obligation to conduct DPIAs, but to determine whether the risk mitigation measures they have taken are effective, even when DPIAs are not required.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact