Skip to main content
CCH Software User Documentation

Data protection by design with DPIAs

Product Help Banner.png


For data protection to become part of an organisation’s general business practices, they need to undertake Data Protection Impact Assessments (DPIAs). The assessments require that the business: describes the processing, details how you have ensured that processing complies with the fundamental principles of the GDPR, explains the risks and the measures you’ve put in place to mitigate them.

The DPIA is a process for building and demonstrating compliance. As such, the owner or drafter of the DPIA will need to solicit comments from different reviewers, possibly including the DPO, and will need to get the DPIA approved. The software’s DPIA workflow helps manage this process and documents all the feedback.

When should you conduct a DPIA?


Certain processing operations are considered high risk: use of personal data of children or other vulnerable individuals, tracking an individual’s behaviour, processing genetic or biometric data and even processing high volumes of data. Basically, processing that’s likely to result in a high risk requires you to undertake a DPIA.

Even if you’ve decided you don’t need to do a DPIA, you should document why you have decided you don’t need to do one. The regulation says that whenever the data processing could result in a high risk to individuals, you should do a DPIA.

CCH GDPR Compliance makes it easy for you to document why you need to do a DPIA – or why not – and why the DPIA is relevant to the process you’re undertaking.

What should a DPIA contain?

Borrowing on best practices suggested by European data protection supervisory authorities, our DPIA builder will make sure your DPIA:

  • Details all elements of the data processing operation
  • Describes the reasons for processing, including explanations of any legitimate interests pursued by the controller
  • Assesses the necessity and proportionality of the processing in relation to the purposes
  • Assesses and documents the risks to data subjects
  • Details what measures you’ve put or are putting in place to mitigate these risks

We help you to:

Define the DPIA’s scope, assign roles and responsibilities for its drafting, its review and its approval.

  • Determine whether or not a DPIA is required.
  • Identify why a DPIA is relevant.
  • Capture and describe all the processing detail.
  • Demonstrate the controls you’ve implemented to protect individuals’ data rights.
  • Capture all the processing details.
  • Identify the risks and produce a risk catalogue.
  • Detail the technical or organizational measures you’ve put in place to mitigate those risks.
  • Get sign off and approvals.

At the end of the process, you will have an assessment that you can share internally with all stakeholders, so they understand the risks and how they are being mitigated. You’ll have documentation to show that you have gone through this process and, if necessary, something to share with your supervisory authority to get feedback.


  • Was this article helpful?