AIPD essentials: definition and challenges

It is compulsory to carry out a risk assessment when processing personal data that could pose a high risk to the rights and freedoms of the individuals concerned.
What does it involve?
And how do you go about it?

What is a data protection impact assessment?

 If you identify personal data processing operations that present a potential risk to the rights and freedoms of data subjects, it is mandatory to carry out a data protection risk assessment. This assessment must be carried out for all such processing operations.

This is an impact analysis relating to the protection of personal data that enables you to build data processing operations that take privacy into consideration. It is an analysis that enables you to demonstrate the compliance of your GDPR processing.

The two main pillars

The Data Protection Impact Assessment (DPIA) is a privacy impact assessment tool based on two main pillars:

1. Privacy risk management : this enables you to implement technical measures to protect personal data.
2. Fundamental principles and rights : these are non-negotiable principles and rights laid down by law. It is forbidden to modulate risks, regardless of their nature, severity or probability.

What should the analysis contain?

Here's what an AIPD contains:

• A description of the processing studied and its purposes;
• An assessment of the necessity and proportionality of the processing operations with regard to the purposes ;
• An assessment of the risks to the rights and freedoms of the people concerned, and the measures envisaged to address these risks.

For further details on risk assessment for the protection of personal data, please consult the website of the CNIL (National Commission for Information Technology and Civil Liberties). CNIL (National Commission for Information Technology and Civil Liberties).

Turn GDPR into an asset!

🤵 Players involved in carrying out an AIPD

• The data controller: as the data controller, you must validate the AIPD and commit to implementing the action plan defined in the AIPD;
• The Data Protection Officer: is responsible for drawing up the action plan and checking that it is implemented;
• The processor : must provide the various information required to complete the AIPD;
• Data subjects: must give their opinions on the processing as they are concerned.