Do I have to carry out a data protection impact assessment? What are the requirements for the assessment?
A data protection impact assessment (DPIA) is an assessment of privacy consequences of any data processing. If it is probable that the planned processing of personal data will entail a high risk to the privacy of the data subjects, the data controller must assess the consequences of the processing. The Norwegian Data Protection Authority has prepared a list of types of processing that always require a DPIA. The list can be found here (Norwegian).
A DPIA involves a systematic description of the processing activities, an assessment of the necessity of the processing, proportionality, and the risk of the processing. Planned measures to manage the described risks are then to be described. Finally, the data controller's management must approve the privacy impact assessment.
Contact us here if you need help completing a DPIA.