Help Center
News
Help Center
News
Getting Started
Compliance Settings
IT Settings
Risk Settings
Modules
Document
Documents & PoliciesAssessmentsControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterInternational StandardsRecord of Processing Activities (ROPA)Exporting your ROPAVendorsData Protection Impact Assessments (DPIA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
Manage
React & Resolve
Sharing & Group functions
Assessments
Features
How-To Guides & Tips
Get Help
Release Notes

Data Protection Impact Assessments (DPIA)

What is a DPIA?

A Data Protection Impact Assessment (DPIA) is an essential procedure aimed at assessing and minimizing potential privacy and data protection risks involved in processing personal data. Both under the revised Swiss Data Protection Act (FADP) and European Data Protection law (GDPR), companies must conduct a DPIA if the planned data processing poses potentially high risks to the individuals concerned.

A DPIA is especially necessary when:

  • New technologies or extensive data processing activities, such as AI-driven analyses or automated customer profiling, are introduced.
  • Sensitive personal data, such as financial or behavioral data, is processed.

The primary goal of the DPIA is to identify data protection risks early on and implement suitable measures to mitigate these risks. Through a DPIA, the company can meet regulatory requirements, build customer trust, and minimize the risk of data breaches. It acts as a preventive control to protect individuals' privacy during all data processing activities.

Here are some concrete examples where a DPIA may be required:

  • Customer scoring and creditworthiness checks
  • Automated customer profiling for tailored offers
  • Real-time monitoring and fraud prevention
  • Processing biometric data for authentication
  • Using external cloud services for data processing

Overview

You can find a list of all your DPIAs on the overview page. You may browse through the different tabs All, Active, Draft, Inactive, and Review to see the status of your DPIAs.

Creating a new DPIA

The following steps will help you perform what is necessary for a complete DPIA. The more carefully the steps are worked through, the better and more reliable the DPIA will be.

Start by clicking the Create button and then the Create DPIA button. As with every element, you can create the DPIA manually or download a shared one from the organization. This guide focuses on manual creation. To learn more about Downloading an element, read the corresponding guide.

  • General Information: First, you must choose the person responsible for your new DPIA and its status. Give it a name and select the organizational unit. 
  • Choosing the linked ROPA: When performing a DPIA, one needs to link all the processing activities the DPIA should assess.If you have already saved the applicable processing activity in the ROPA, you may choose it from the library. Otherwise, you may need to create a new one.
  • Identifying the need for a DPIA: As underlying information, explaining why a DPIA would be necessary for the processing activity is essential. Describe how and why you identified the need for a DPIA.You may be required to perform a DPIA according to the applicable data protection law. If you have assessed whether this is the case, insert your conclusion here.
  • Describing the processing: For completeness, it is necessary to provide information on the processing, which is the subject of the DPIA. The more detail one can provide, the more accurately the DPIA can be performed. Therefore, describing how the data is being processed for this particular activity is essential. 
  • Click Save to finish.

Managing a DPIA

General

When you click on the DPIA you want to manage, you will see its general information. Click Edit if you wish to update it.

As with most elements, you may write notes by clicking the Notes button on the right or manage its Access and Sharing by clicking the three horizontal dots in the top right corner.

Click on the blue menu icon at the top left to expand or minimize the menu.

Consultation

The consultation process involves, for example, internal coordination with the relevant departments and the involvement of the Data Protection Officer (DPO). Consultation with the competent supervisory authority is always necessary if a DPIA shows that there are significant risks despite the protective measures taken. This authority can provide advice, suggest additional measures, or, in extreme cases, prohibit data processing.
On the Consultation tab, you will find all consultation processes for this DPIA. 

  • You can click on an existing process to see more detailed information or to edit it. 
  • To create a new consultation process, click on Add
  • Fill in the required information. 
  • Click on Next
  • Now, you can link Meetings & Activities, Assessments, and Documents to your consultation process.

Balancing of interests

Click Edit in the Balancing of Interests tab to fill in the field. It is essential to balance all interests based on the assessed risks related to the processing activity. This should be performed in sufficient detail and with due diligence. One should consider the purpose of the processing, its reasons, risks, necessity, and proportionality. Argumentation and objectivity are essential at this stage, as is consideration of any biases.

Tasks

The Tasks tab provides a list of all tasks related to your DPIA. You may either click on one of the tasks to view more information or link a new task to this DPIA by clicking the Add button and choosing from the list of existing tasks. If you'd like to create a new task, you can also do so by clicking the Create button. Follow the Tasks guide to learn more.

Assessments

The Assessments tab lists all linked assessments regarding your DPIA. You may click on one of the assessments listed to obtain more information. If you wish to link another assessment, click the Add button and choose from all your assessments. If you want to add a new assessment, you may create one by clicking the Create button. Follow the Assessments guide to learn more about it.

Assets

Lastly, you will find all the DPIA's linked assets on the Assets tab. You can link additional ones using the Add button. Ensure you have linked all Assets for the processing activity you scrutinize with that DPIA.

To learn more about Assets, you can follow the corresponding guide.

 


 

Was this article helpful?

English
Powered by Product Fruits