A DPIA must be a genuine evaluation of the risks posed to employees and outline the measures that an employer envisages taking to address them. Beyond this, there is no strict form a DPIA must take; instead what is appropriate will depend (amongst other things) upon the nature and complexity of the processing, the potential risks posed by the processing, the resources of the employer, and any further guidelines that may be put in place (for example, any guidelines related to a specific industry sector).
In conducting a DPIA, an organisation must ask itself the following questions:
- What does the processing activity involve and is there a legal ground for the processing?
- What is the purpose of the processing? (especially in case of secondary use) what was the original purpose?
- Is it necessary and proportionate given the risks involved?
- What measures are in place to mitigate the risks?
- Does the processing activity comply with the GDPR in all other respects?
