The General Data Protection Regulation ("GDPR") requires organisations processing personal data to be proactive with respect to their data-processing activities, including by continuously monitoring and evaluating said activities to ensure they meet the GDPR's principles and requirements. A key requirement under the GDPR is to undergo a Data Protection Impact Assessment ("DPIA"), both as an ongoing need to assess their processing activities' associated risks and as a result of certain changes or events in an organisation's life cycle. This is also one of the key responsibilities of the Data Protection Officer of the company.

During recent months various data protection regulators across the EU have published updated guidelines concerning when and how organisations must carry out DPIA. These recent regulatory changes demonstrate that during 2019, data protection regulators across the EU are expected to initiate more enforcement actions against companies that failed to comply with the requirement to perform DPIAs. Failing to carry out a DPIA when required may leave an organisation susceptible to fines of up to €10 million, or 2% of global annual turnover.

The attached "DPIA Triggers Cheat-Sheet" was prepared by Ido Manor, a partner in our Technology & Regulation Department, in order to assist our clients and friends with key information regarding what are DPIA, how they should be performed, as well as practical examples for processing activities and areas of practice that require a DPIA, reflecting recent key regulatory changes.

Click here for the full update.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.