Business

Guide to The Data Protection Impact Assessment (DPIA)

Internxt

8 min read
Data Protection Impact Assessment (DPIA)

We’re almost halfway through 2025, yet the cost of a data breach this year has already reached $5.3 million, an 8% increase from last year.

This increase in cyberattacks, such as ransomware, has prompted regulatory bodies such as the GDPR, HIPPA, and many others to introduce new data protection laws to protect customer data.

One of these is the Data Protection Impact Assessment (DIPA), one of many tools for organizations to prevent data breaches.

Throughout this article, we will explain why the DIPA is necessary for organizations, what it consists of to gain an understanding of privacy risks in data processing, and how to develop measures to prevent them.

Table of contents

What is a DPIA?

A Data Protection Impact Assessment is part of the EU’s GDPR to combine data protection laws within the EU.

The DPIA is mentioned under article 35 of the GDPR, which states the following regarding data processing:

"Where a type of processing in particular using new technologies and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data."

This means that if any data processing is carried out that poses a risk to people’s privacy, especially with new technologies such as Artificial Intelligence, the organization must assess the potential impact on the personal data before processing.

Conducting a DPIA helps your company demonstrate compliance with GDPR to the relevant authorities, showing your commitment to protecting the privacy of sensitive data.

Internxt Object Storage is an affordable solution to store large scale data

DPIA also states that if your cloud-hosted company processes any type of personal data with a high risk to the freedom and rights of an individual, your company must carry out a data protection impact assessment beforehand.

Data protection impact assessment

We know that you must conduct a data protection impact assessment before processing customer data, so these are some examples of when your company will have to conduct a DPIA:

  • Monitoring employees' activities through surveillance or tracking tools.
  • Processing large-scale health or biometric data.
  • Processing children’s data.
  • When processing personal data related to ethnic origin, political opinions, religious & philosophical beliefs, genetic data, biometric data, and data concerning the health or sexual orientation of a person.
  • Using AI or automated decision-making that affects individuals.
  • Tracking users' behavior across websites or mobile apps.
  • Introducing new technologies that handle personal data in innovative ways.
  • Systematically profiling customers to make marketing or credit decisions.

Once organizations become familiar with conducting a DPIA, they can mitigate privacy concerns and reduce the risks of a data breach, which could cost them hundreds of thousands in compliance and legal fees.

Below, we will examine the DPIA assessment guidelines to help you with the impact assessment process.

Data protection impact assessment minimum requirements

The minimum requirements for data protection impact assessment are outlined in Article 35, paragraph 7 of the GDPR. It states that a DPIA must include:

“A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller.”

This states that businesses must demonstrate total transparency about what data companies collect and how they use them.

2. “An assessment of the necessity and proportionality of the processing operations in relation to the purposes, taking into account the nature, scope, context, and purposes of the processing.”

This is important because it prevents businesses from collecting unnecessary data and minimizes the risk of unnecessary data breaches.

3. “An assessment of the risks to the rights and freedoms of data subjects, considering the likelihood and severity of any potential impact.”

This holds businesses accountable to identify and prevent potential problems early to avoid heavy fines and damage to their reputation by implementing the necessary security protocols to protect sensitive information.

4. “The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Regulation.”

Measures and safeguards in this case include features such as end-to-end encryption, access controls, and other measures that a company uses to keep user data private and prove it follows GDPR.

Internxt post quantum encryption

DPIA guidelines

The DPIA provides a general framework for companies to design a data protection impact assessment that fits their needs. With the following steps, your company can create a concise impact assessment to keep sensitive information safe.

1. Describe how data is processed

Before getting started, you should determine whether processing the data brings high risks to an individual's information by considering the nature, scope, context, and purpose of how and why the information is to be used, as seen below:

  1. Nature: what you plan to do with the customers’ data. Will it process sensitive data?
  2. Scope: Which personal data will be processed and will it involve large-scale processing or systematic monitoring?
  3. Context: Factors that may affect explanations, either internally or externally, such as company policies or new technologies.
  4. Purpose: Why your new project has to process your customers’ data.

2. Describe how data is processed

Next, you must clearly state how data is processed, for example:

  • Types of personal data being processed, such as names, contact information, biometric data, or other sensitive information.
  • Why it's being processed (e.g., to provide a service, for marketing, or legal compliance).
  • Explain where the data originates and which internal or external entities have access to it.
  • Specify how long the data will be kept and when it will be deleted to align with GDPR data retention policies.
  • Where data is stored, e.g., databases, cloud storage, or physical storage devices.

3. Establish roles and responsibilities

Any GDPR, compliance, or auditing processes can become overwhelming for small and even large businesses. In this case, you should consider consulting with or hiring a dedicated person who can oversee and ensure the success of the impact assessment.

There should be a data protection officer to conduct the DPIA, and other external parties could also help you during the DPIA process, such as lawyers, security experts, or analysts, if your company has the resources to do so.

Internxt Metadata Remover keeps your files anonymous

4. Assess what data processing is necessary

To ensure data processing aligns with GDPR’s protection requirements, your team should evaluate whether the data processing is necessary to achieve the intended purpose by asking:

  • Are there alternative methods with fewer risks?
  • Is the data collected strictly necessary?
  • How does the data processing align with GDPR principles?

By considering these questions, you may be able to identify areas where data processing can be limited, thereby reducing the risk of accidental leaks or breaches.

5. Identify and evaluate risks

Carrying out a risk assessment will help you identify risks, their severity, and the likelihood of these risks to an individual’s privacy.

Making a structured matrix like the one below can help gain clarity for this area.

Risk Assessment Matrix
Severity →
Likelihood ↓		 Minimal impact Some impact Serious harm
Remote Low risk Low risk Low risk
Reasonable possibility Low risk Medium risk High risk
More likely than not Low risk High risk High risk

Document any risks noted and their potential effects to build a comprehensive approach for this section.

6. Use technology to mitigate the risks

Once risks are identified from the previous step, you can now take measures to prevent them, which may include:

  • Zero-knowledge encryption: keep user information encrypted to prevent hacks or data leaks. For future protection against the threat of post-quantum computers, consider services that use post-quantum cryptography, like Internxt.
  • Access controls: limit who has access to sensitive data, and use policies like zero-trust for increased security and data access.
  • Data anonymization: anonymize data or remove it completely if it's used for analytics or research.
  • Meet data requests: ensure there are policies in place to meet data requests, such as access, changes, or deletion.

7. Continue to update your DPIA

If you make any changes to your project, make sure these are updated and reflected in your policy.

Also, the data protection acts as the foundation for companies to start taking measures to protect data, but it must be continually updated to meet changing regulations, new tech trends, and threats to consumer data.

How Internxt for Business protects customer data

Internxt Drive for Business and Internxt S3 object storage are GDPR compliant cloud storage services that protect users with advanced zero-knowledge encryption, access controls, and secure file sharing.

Internxt Drive for Business is the first cloud storage with post-quantum cryptography, and includes other security features such as password-protected file sharing and two-factor authentication for increased security.

Internxt’s business cloud storage also includes access logs, so account managers can monitor and prevent unauthorized access to files.

Internxt Object Storage is an affordable solution to store large scale data

Get the most private GDPR regulated cloud storage for up to 100 users and up to 2TB of storage for your team. Pro plans also get access to Internxt VPN, Meet, Mail, and more, starting at €1.80/user/month.

For large-scale data storage and immediate access to petabytes of storage, Internxt also offers S3 object storage for a fixed fee of €7/TB/month and zero data transfer fees, perfect for businesses who need a hot cloud storage solution for fast and secure data access.

Visit the Internxt website to see how our private cloud storage solution can help your business protect user data and prevent data breaches, thanks to its mission of making online privacy easy and accessible to everyone.

Frequently asked questions

What does DIPA stand for?

DIPA stands for Data Protection Impact Assessment. It's a process used to identify and minimize the data protection risks of a project, especially when handling personal or sensitive data.

When is a DPIA required?

When data processing is likely to result in a high risk to the rights and freedoms of individuals from large-scale monitoring, profiling, processing sensitive data, or new technologies.

When is a DPIA not required?

A DPIA is not required when the data processing is unlikely to result in a high risk to individuals’ rights and freedoms or if the processing is covered by a legal obligation that includes a prior impact assessment.

Who needs to implement a DPIA?

The data controller is responsible for implementing a DPIA. This includes identifying when it's needed, ensuring it's carried out correctly, and taking action based on its findings.

What is Data Protection Impact Assessment in GDPR?

A Data Protection Impact Assessment (DPIA) in GDPR is a process that helps identify, assess, and minimize risks to personal data before starting high-risk processing. It’s required under Article 35, paragraph 7, for activities likely to impact individuals’ rights and freedoms.

Protect your privacy with Internxt