OneTrust Certified Privacy Professional Practice Exam

Which type of data processing requires a Data Protection Impact Assessment (DPIA) under GDPR?

• A. Processing that has no impact on individual privacy
• B. Processing likely to result in a high risk to the rights and freedoms of natural persons
• C. Processing that involves only public data
• D. Processing that is conducted by third parties only

The correct answer is: Processing likely to result in a high risk to the rights and freedoms of natural persons

The requirement for a Data Protection Impact Assessment (DPIA) under the General Data Protection Regulation (GDPR) specifically applies to processing activities that are likely to result in a high risk to the rights and freedoms of natural persons. This provision is in place to ensure that organizations take proactive steps to assess and mitigate risks associated with their data processing activities. A DPIA helps to identify and minimize the potential impact that new projects may have on individuals’ personal data. It is particularly important in contexts where new technologies are being employed or where large-scale processing of sensitive personal data occurs. By conducting a DPIA, data controllers can evaluate the necessity and proportionality of the processing, assess its potential risks, and implement measures to address those risks before the processing starts. In contrast, processing that has no impact on individual privacy, involves only public data, or is conducted solely by third parties does not automatically trigger the need for a DPIA, as these situations may not pose significant risks to individuals' rights and freedoms. Thus, option B identifies the correct context for when a DPIA is mandated under GDPR.