¶ What is a Pre-DPIA?
A Preliminary High-Risk Assessment (Pre-DPIA) is an early-stage evaluation that helps organizations identify potential risks associated with planned data processing activities before they are implemented. Its primary purpose is to determine whether the proposed processing is likely to pose a high risk to individuals' rights and freedoms and, consequently, whether a full DPIA is required. Acting as a screening tool, the Pre-DPIA enables organizations to assess potential privacy risks early in the process, ensuring compliance with GDPR and reducing the likelihood of costly adjustments later.
The Article 29 Working Party has identified nine key criteria that indicate when a DPIA may be necessary:
- Evaluation or scoring (e.g., profiling individuals’ behavior or financial status).
- Automated decision-making with significant effects (e.g., AI-based hiring decisions).
- Systematic monitoring (e.g., large-scale CCTV surveillance).
- Processing special categories of data (e.g., health or biometric data).
- Large-scale data processing (e.g., data collection affecting many individuals).
- Matching or combining datasets (e.g., linking data from multiple sources).
- Processing data about vulnerable individuals (e.g., children or elderly people).
- Using new or innovative technology (e.g., facial recognition).
- Restricting individuals' rights or access to services (e.g., creditworthiness assessments).
If two or more of these criteria apply, a DPIA should be conducted to ensure compliance with GDPR.
¶ What Happens if a DPIA is Not Done?
Failure to conduct a DPIA when required can lead to regulatory action, including fines from Data Protection Authorities. The Norwegian Data Protection Authority has outlined specific cases where a DPIA is always required, such as biometric identification and systematic employee monitoring.
¶
¶ How do you conduct a pre-DPIA in Diri?
Go to ‘Processing activity’ and select the processing activity you want to assess for high risk. Then, choose the yellow button labeled ‘Start Pre-DPIA’.
Once you have answered the questions with yes or no, you will receive feedback in the system on whether you need to conduct a full DPIA or not. You can now choose whether you want to finish without conducting a DPIA or finish and create a new DPIA.
