Section 31 of the Data Protection Act requires that Data Protection Impact Assessment DPIAs be performed when there is a “high risk to the rights and freedoms of data subjects” from data processing. A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to minimize these risks as far and as early as possible.
A data protection impact assessment shall include the following —
(a) A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller or data processor;
(b) An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
(c) An assessment of the risks to the rights and freedoms of data subjects;
(d) The measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned.
DPIAs must be submitted 60 days prior to the commencement of the processing activities proposed under the DPIA.