Who should carry out a DPIA?

ANSWER

Under Article 35(1) GDPR, the controller is responsible for carrying out the DPIA. The DPO should be consulted by the controller. The Article 29 Working Party notes that consultation should cover the following issues:

• the need to carry out a data protection impact assessment;
• the method to be applied when conducting the data protection impact assessment;
• determining whether the data protection impact assessment should be carried out in-house or entrusted to an external entity;
• determining what safeguards (including technical and organizational measures) should be applied to mitigate any kind of threat to the rights and interests of data subjects;
• determining whether the data protection impact assessment was carried out correctly and whether its results (conclusions on whether data processing should continue and what safeguards should be applied) comply with the GDPR.

In practice, the DPO, as one of the most competent persons in the organization, will have a key role in conducting the DPIA, which may consist of acting as a guide or helping to carry out the DPIA. The DPO agreement should clearly define competences in this regard. It should be remembered that ultimately only the controller can be responsible (accountable) for carrying out the DPIA, and the DPO's default role is advisory — making recommendations and monitoring results.