Glossary term
DPIA
Also: Data Protection Impact Assessment, DSFA, Datenschutz-Folgenabschätzung
Mandatory assessment under GDPR Art. 35 where processing is likely to result in high risk to the rights and freedoms of natural persons. Required e.g. for systematic evaluation, large-scale processing of special categories and systematic monitoring of public areas.
Content per Art. 35(7): description of processing, assessment of necessity and proportionality, assessment of risks, measures to mitigate risk.
Process: standard trigger check (trigger list); if applicable, DPIA with involvement of the DPO; if high residual risk remains, prior consultation of the supervisory authority; ongoing review on changes.
Link to AI: under EU AI Act Art. 27 a Fundamental Rights Impact Assessment (FRIA) is required for high-risk AI by public bodies and providers of essential services. FRIA and DPIA overlap but are not identical.
Related terms
Schrems II
CJEU ruling of 16 July 2020 that invalidated the EU-US Privacy Shield and only allowed Standard Cont…
TIA
Assessment of the protection level in the recipient country for data transfers to third countries af…
Dealbreaker
A hard requirement that immediately disqualifies an option if not met, independent of weighted scori…
Decision memo
A short structured document that captures why a decision was made, the options considered, the crite…
Defensible record
A single versioned artefact that captures a decision in enough structure, with enough evidence and s…
DLP
Software category for detecting and preventing unauthorised data outflow. Operates on endpoints, net…
DMARC / DKIM / SPF
Three standards that together authenticate email senders and impede spoofing. SPF authenticates the …
DORA
EU regulation on digital operational resilience in the financial sector. Directly applicable since 1…