Data Protection Impact Assessment

Also known as: DPIA, Privacy Impact Assessment, PIA

A process required under GDPR Article 35 for assessing and mitigating risks to individuals' rights and freedoms before undertaking high-risk data processing. DPIAs are mandatory when processing is "likely to result in a high risk," including large-scale processing of special category data (such as disability status) or systematic automated decision-making with significant effects. A DPIA must describe the processing, assess necessity and proportionality, identify risks, and outline mitigation measures. For AI systems affecting people with disabilities, DPIAs provide a proactive mechanism to identify potential discrimination before deployment, complementing the reactive nature of equality law enforcement.

Category: data protection · legal · GDPR · risk assessment

Related: GDPR · Special Category Data · Automated Decision-Making · AI Fairness

Sources

https://gdpr-info.eu/art-35-gdpr/
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/
https://doi.org/10.1145/3473673