Privacy Impact Assessment Guide

Compliance & Regulatory Data Protection & Privacy Last reviewed: 2025-12-10 Owner: Data Protection Office

1. Purpose

This guide (Ref: COMP-DP-005) provides practical guidance on when and how to conduct a Data Protection Impact Assessment (DPIA), as required by Article 35 of the GDPR. A DPIA is a structured process for identifying, assessing, and mitigating the data protection risks associated with a processing activity before it commences.

2. When Is a DPIA Required?

A DPIA is mandatory when a processing activity is likely to result in a high risk to the rights and freedoms of natural persons. The following criteria indicate that a DPIA is required:

  • Systematic and extensive evaluation of personal aspects based on automated processing, including profiling, which produces legal or similarly significant effects (e.g., credit scoring, automated lending decisions).
  • Processing of special categories of data or criminal conviction data on a large scale.
  • Systematic monitoring of a publicly accessible area on a large scale (e.g., CCTV surveillance).
  • Use of new technologies or novel processing methods.
  • Large-scale processing of children's data.
  • Automated decision-making with legal or similarly significant effects.
  • Cross-border data transfers to jurisdictions without an adequacy decision, involving large volumes of personal data.
  • Processing that could result in discrimination, identity theft, financial loss, or reputational damage.

As a general rule, if a processing activity meets two or more of the above criteria, a DPIA should be conducted. The Data Protection Office maintains a list of processing activities for which a DPIA is always required (the "DPIA Positive List").

3. When Is a DPIA Not Required?

A DPIA is not required where:

  • The processing is not likely to result in a high risk to individuals.
  • A very similar DPIA has already been completed for an equivalent processing activity.
  • The processing has a legal basis in EU or Member State law that was adopted following a DPIA carried out by the legislator.
  • The processing is included on the supervisory authority's list of exemptions (where available).

In cases of doubt, the Data Protection Office should be consulted before deciding not to conduct a DPIA.

4. DPIA Process

Step 1 — Screening

The project or initiative owner completes a DPIA Screening Questionnaire (available on the Bank's intranet) to determine whether a full DPIA is required. The completed screening must be submitted to the Data Protection Office for review within five (5) business days of the processing activity being proposed.

Step 2 — Description of Processing

If a full DPIA is required, the project owner must document:

  • The nature, scope, context, and purpose of the processing.
  • The categories of personal data and data subjects involved.
  • The data flows, including any third-party recipients and cross-border transfers.
  • The lawful basis for processing.
  • The retention periods applicable to the data.

Step 3 — Necessity and Proportionality Assessment

The DPIA must evaluate whether the processing is necessary and proportionate to the stated purpose, considering:

  • Whether less intrusive alternatives exist.
  • Whether the processing achieves its objective effectively.
  • Whether data minimisation principles have been applied.

Step 4 — Risk Assessment

Identify and assess the risks to data subjects' rights and freedoms. Risks must be assessed using the Bank's standardised risk matrix:

LikelihoodImpactRisk Rating
LowLowLow
LowHighMedium
HighLowMedium
HighHighHigh

Step 5 — Mitigation Measures

For each identified risk, propose and document mitigation measures (e.g., encryption, access controls, pseudonymisation, data minimisation, contractual safeguards). The residual risk after mitigation must be assessed and documented.

Step 6 — DPO Consultation

The completed DPIA must be submitted to the DPO for review. The DPO will provide a written opinion within ten (10) business days. If the DPO identifies unmitigated high risks, the processing must not proceed until further measures are implemented or the relevant supervisory authority is consulted under Article 36 of the GDPR.

Step 7 — Approval and Record

The DPIA must be approved by the Data Owner and the DPO before the processing activity commences. The approved DPIA is retained in the Bank's DPIA register, maintained by the Data Protection Office.

5. Ongoing Review

DPIAs must be reviewed whenever there is a material change to the processing activity and at a minimum every two (2) years.

6. Review

This guide is reviewed annually by the Data Protection Office. Next review: Q1 2027.

Related Articles

Cross-Border Data Transfer Rules

Defines the Bank's requirements and approved mechanisms for transferring personal data outside the European Economic Area, including adequacy decisions, Standard Contractual Clauses, and Binding Corporate Rules.

Updated 2025-10-20

Data Retention Policy

Establishes the Bank's data retention and disposal standards for all categories of personal and business data, including mandatory retention periods, secure destruction methods, and regulatory requirements.

Updated 2025-09-05

Data Subject Access Request (DSAR) Procedure

Step-by-step procedure for receiving, verifying, processing, and responding to Data Subject Access Requests under the GDPR, including timelines, exemptions, and escalation paths.

Updated 2025-07-10