Data protection impact assessment

A data protection impact assessment, often abbreviated DPIA, is used where planned processing may pose a high risk to personality or fundamental rights. Swiss practice considers factors such as sensitive data, large-scale processing, systematic monitoring, profiling, new technologies and vulnerable persons. The assessment describes the processing, evaluates necessity and proportionality, identifies risks and sets mitigation measures. If residual high risk remains, consultation with the competent supervisory authority may be required. A DPIA is a governance tool, not a one-time formality.