Article 5: Data Protection Impact Assessments (DPIAs)

OTL LawNo CommentsCategories: Uncategorized

Welcome to Article 5 of our Data Protection and Privacy Knowledge Management Series. We are now a quarter of the way into the series and the discussion is getting more technical. In Articles 1 to 4, we explored the fundamentals of data protection. Now, we will discuss the concept of Data Protection Impact Assessments (DPIAs): what they are, their importance, and how to conduct them.

 

What is a Data Protection Impact Assessment?

A Data Protection Impact Assessment (DPIA) is a process designed to help organisations identify, evaluate, and mitigate the risks that their data processing activities pose to individuals’ rights and freedoms.

Under Article 35 of the GDPR, controllers are required to carry out a DPIA when a type of processing is “likely to result in a high risk to the rights and freedoms of natural persons.” The Nigeria Data Protection Act 2023 (NDPA) adopts the same approach, requiring DPIAs for high-risk processing activities (see Section 29). The NDPA-GAID 2025 provides even more detail by specifying risk indicators and the situations in which a DPIA must be conducted.

Put simply, a DPIA is both a risk management tool and a compliance mechanism. It ensures that privacy risks are identified early and that safeguards are integrated into processing “by design and by default.”

 

When Must a DPIA Be Carried Out?

Both the GDPR and NDPA require DPIAs where processing is likely to result in high risks to data subjects. Examples of high-risk processing include:

  • – Large-scale processing of sensitive personal data (such as health, biometric, or genetic data).
  • – Systematic and extensive profiling of individuals, especially where decisions have legal or significant effects (e.g. credit scoring).
  • – Monitoring publicly accessible areas on a large scale (e.g. use of CCTV in smart cities).
  • – Use of emerging technologies like AI, facial recognition, or big data analytics.

The NDPA-GAID specifically highlights:

  • – Processing children’s personal data.
  • – Processing that involves cross-border transfers.
  • – Processing that could significantly affect data subjects’ rights and freedoms in Nigeria.

In practice, it is not always clear which processing activity amounts to a high-risk processing. However, if you are unsure whether your processing requires a DPIA, then you should perform a DPIA and err on the side of caution.

Other African frameworks echo similar requirements. For example, Kenya’s Data Protection Act 2019 (Section 31) also mandates DPIAs for high-risk processing, aligning with both the EU and Nigerian models.

 

Why are DPIAs Important?

Legal compliance – They are mandatory under both the GDPR and the NDPA when processing is likely to pose high risks.

Accountability – A DPIA demonstrates that an organisation has taken steps to comply with the principles of fairness, transparency, and accountability.

Risk reduction – By identifying and addressing risks at the planning stage, organisations can prevent costly data breaches and reputational damage.

Building trust – DPIAs show customers, regulators, and partners that privacy and data protection are taken seriously.

 

How to Conduct a DPIA

A DPIA is not a box-ticking exercise. It is a structured, iterative process. According to the GDPR, NDPA, and NDPA-GAID, a DPIA should do the following:

  1. Describe the Processing Activity
    • – Nature, scope, context, and purpose of processing.
    • – Categories of data subjects and personal data involved.
  2. Assess Necessity and Proportionality
    • – Confirm whether the processing is necessary for the purpose.
    • – Consider if less intrusive means could achieve the same objective.
  3. Identify Risks
    • – What risks could arise for data subjects? Examples: unauthorised access, discrimination, identity theft, reputational harm.
  4. Evaluate Likelihood and Severity
    • – Use risk matrices to assess both the probability of the risk occurring and its potential impact.
  5. Identify Safeguards and Mitigation measures
    • – Technical: encryption, pseudonymisation, access control.
    • – Organisational: staff training, policies, limited retention.
    • – Legal: contracts, data processing agreements, cross-border transfer safeguards.
  6. Document and Review
    • – Keep a written record of the DPIA and the steps taken.
    • – Submit to the regulator when required (e.g. NDPA requires submission in some high-risk cases).
    • – Review regularly as technology or processing changes.

 

Role of the Data Protection Officer (DPO) in DPIAs

Both GDPR and NDPA require that, where a DPO is appointed, the DPO should be closely involved in the DPIA process. They provide expert advice, ensure objectivity, and act as a bridge with the supervisory authority.

 

The Bottom Line

A DPIA is not just a regulatory burden. It is an opportunity for organisations to embed privacy by design, anticipate compliance challenges, and earn trust in the digital economy. In the African tech ecosystem, where trust deficits are high, conducting DPIAs proactively can distinguish responsible businesses from the rest.

 

Short Test

  1. Which of the following is NOT a scenario that typically requires a DPIA?

a) Large-scale processing of health data

b) Profiling for automated credit decisions

c) Sending newsletters to customers who opted in

d) Deploying facial recognition in airports

  1. True or False: A DPIA is optional under the NDPA and is only recommended, not required.
  2. What is the role of the Data Protection Officer in the DPIA process? Select all that apply

a) To approve all processing contracts

b) To provide advice and ensure compliance during the DPIA

c) To act as the organisation’s IT manager

d) To eliminate the need for a DPIA altogether