Data Protection Impact Assessment (DPIA)

Under the GDPR, there is a new general accountability obligation to show one complies with the Regulation by conducting a privacy impact assessment when ‘high risk’ processing is carried out. ‘High-risk’ processing includes:

  • systematic and extensive profiling that produces legal effects or significantly affects individuals;
  • processing sensitive personal data on a large scale; and
  • systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV).

Please visit:


Article 29 Working Party has issued Guidelines on Data Protection Impact Assessments (WP 248). The European Data Protection Board endorsed the GDPR related WP29 Guidelines.

The President of the NSAPDP has issued Decision no. 174 from 18th of October 2018 regarding the list of processing operations for which it is mandatory to conduct a data protection impact assessment.

 Please visit: