DPIA
A DPIA (Data Protection Impact Assessment) is a tool for systematically identifying and minimizing data protection risks before a new system is put into use.
Under the General Data Protection Regulation (GDPR, Article 35), a DPIA must be carried out when a new type of processing of personal data—especially when using new technology—is likely to result in a high risk to individuals’ rights and freedoms.
The aim is to identify, assess, and minimize these risks before the system goes live.
What must a DPIA contain?
Regardless of which template you use, the GDPR requires the impact assessment to include at least four elements:
- A systematic description of the planned processing and its purposes
- An assessment of necessity and proportionality—is the processing necessary and proportionate to the purpose?
- An assessment of the risks to the rights and freedoms of data subjects
- Risk management measures—the measures planned to address the risks (e.g. security measures and procedures)
Shared division of responsibility
The work is based on a shared division of responsibility: your organization is responsible for the content and ownership of your DPIA, while Intric provides the supporting material, documentation, and tools (including our DPIA Assistant) so you can complete it easily.
- You know how you will use the system, which documents you plan to upload, and what your internal procedures are. You fill in these parts based on your organization’s context.
- We (Intric) know exactly how the technology works, where data is stored, and which security measures protect it. We provide you with ready-made material, technical descriptions, and an interactive Assistant that guides you through the process.
Overview of the division of responsibility
| GDPR requirement | What the organization documents | What Intric provides |
|---|---|---|
| 1. A systematic description of the planned processing and its purposes | The purpose of use, which documents/content will be uploaded, and which internal resources are involved | Technical system description, data flows, geographic storage, and a full list of sub-processors |
| 2. An assessment of whether processing is necessary and proportionate to the purpose | The legal basis for processing, internal retention rules, and procedures for data subject rights | Technical support for storage minimization, automated deletion, and deletion/export of data |
| 3. An assessment of risks to data subjects’ rights and freedoms | Identification of operational risks (e.g. incorrect internal use) and assessment of likelihood and severity | Pre-filled processor risks, certifications (ISO 27001, SOC 2), and incident history to support your assessment |
| 4. The measures planned to address the risks | Internal technical and organizational measures (e.g. policies, procedures, training) and assessment of residual risk | Intric’s built-in security measures (e.g. access control/RBAC, encryption, backup), best practices for secure configuration, and contractual guarantees (DPA) |
Get started with your DPIA
To make the process as simple and clear as possible, we have developed a step-by-step guide based on methodology and material from organizations that have already completed a DPIA for their use of Intric.
A DPIA for AI is not a different process
It is important to understand that a DPIA for an AI tool like Intric does not differ in substance from a DPIA for other IT systems. The process follows the same structure and requirements as when implementing any other system that processes personal data—whether an HR system, a CRM tool, or a document management system.
What is unique to your implementation is not the technology itself, but how you choose to use it, what data you process, and which risks arise in your specific context.