Data Protection Impact Assessment
A data protection impact assessment (DPIA) is a formal process used to identify and minimize data protection risks when processing personal data. Organizations must carry out a DPIA before processing that is likely to result in a high risk to individuals' rights and freedoms, especially when using new technologies or processing special categories of personal data.
Legal Basis
"Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data."
— Article 35(1), Regulation (EU) 2016/679 (GDPR)
Why It Matters
Data protection impact assessments are essential for any organization that uses personal data for political advertising targeting or ad-delivery techniques. Under the GDPR, controllers must conduct a DPIA when processing operations are likely to result in high risk, particularly when using profiling, special categories of data, or systematic monitoring of individuals at large scale.
For political advertising, DPIAs are especially important because targeting techniques often involve processing sensitive personal data like political opinions, which are classified as special category data under the GDPR. Publishers and providers of political advertising services must assess whether their targeting practices require a DPIA before launching campaigns.
The DPIA helps organizations identify risks early, implement appropriate safeguards, and demonstrate accountability. It also determines whether consultation with the relevant data protection authority is necessary before processing begins. Organizations that fail to conduct required DPIAs face significant administrative fines under the GDPR.
Key Points
- Mandatory before high-risk processing: DPIAs are required when processing is likely to result in high risk to individuals' rights and freedoms, particularly when using new technologies or profiling
- Essential for political advertising: Targeting political ads using personal data, especially special categories like political opinions, typically requires a DPIA
- Must be done in advance: The assessment must be carried out before processing begins, not after campaigns are already running
- Identifies and mitigates risks: DPIAs systematically identify data protection risks and help organizations implement appropriate technical and organizational measures
- May require authority consultation: If risks remain high after mitigation measures, organizations must consult their data protection authority before proceeding
- Demonstrates compliance: Conducting and documenting DPIAs is part of the accountability principle under the GDPR and shows proactive compliance
Data Protection Impact Assessment vs. Risk Assessment
While both processes evaluate risks, a data protection impact assessment is a specific legal requirement under the GDPR focused on privacy and data protection risks to individuals. A general risk assessment might cover broader organizational or business risks, such as reputational damage, financial loss, or operational security.
A DPIA specifically examines how processing operations affect individuals' rights and freedoms, considering factors like the nature, scope, context, and purposes of processing. It requires specific content including a description of processing operations, necessity and proportionality assessments, identified risks, and planned safeguards.
Under Regulation 2024/900 on political advertising, organizations must also conduct systemic risk assessments if they qualify as very large online platforms (VLOPs), but these are separate from DPIAs, though the findings may inform each other.