Data Protection Impact Assessment
Systematic evaluation of privacy risks to individuals' rights and freedoms
Compliance Score
Inherent Risk
Before safeguards
Safeguard Effect.
Risk Level
Low risk. Continue monitoring and maintaining controls.
GDPR Principles
Residual Risk Gauge
After safeguard mitigation
Risk Assessment
Red: Likelihood | Orange: Severity
Project Context & Data Processing
GDPR Fundamental Principles Assessment
Is the processing necessary for the stated purpose?
Is the processing proportionate to the objective?
Are you collecting only necessary data?
Is data used only for specified purposes?
Is data retained only as long as necessary?
Are measures in place to ensure data accuracy?
Risks to Data Subjects' Rights and Freedoms
Assess likelihood and severity of each risk (1-5 scale). Risk Score = Likelihood × Severity
Privacy Violation
Unauthorized access or disclosure of personal data
Discrimination Risk
Potential for unfair treatment based on personal data
Identity Theft
Risk of identity fraud or impersonation
Financial Loss
Monetary harm to data subjects
Reputational Damage
Harm to data subject's reputation or social standing
Physical Harm
Risk of physical danger or safety concerns
Loss of Confidentiality
Breach of confidential or sensitive information
Loss of Data Control
Data subjects lose control over their personal data
Safeguard Measures & Risk Mitigation
Implementation level of encryption measures
Identity and access management maturity
Use of privacy-enhancing technologies
Automated data minimization controls
Logging and monitoring capabilities
Data breach response preparedness
Tools for rights exercise (access, erasure, etc.)
Privacy built into system design
DPO engagement in processing activities
Processor agreements and oversight
About GDPR Article 35 DPIA
This calculator implements GDPR Article 35 requirements for Data Protection Impact Assessments. A DPIA is mandatory when processing operations are likely to result in high risk to individuals' rights and freedoms.
When DPIA is Required:
- • Systematic monitoring or profiling
- • Large-scale processing of special categories
- • Systematic monitoring of public areas
- • Automated decision-making with legal effects
DPIA Must Contain:
- • Description of processing operations
- • Assessment of necessity and proportionality
- • Assessment of risks to rights/freedoms
- • Measures to address identified risks
Consultation Requirements:
- • DPO must be consulted (Art. 35(2))
- • Data subjects or representatives (where applicable)
- • Supervisory authority (if high residual risk)
- • Document all consultation outcomes