Data Protection Impact Assessment (DPIA)

Lexagone supports you in setting up and monitoring your Data Protection Impact Analysis (DPIA).

Identify your risky processing, secure your processes, and ensure GDPR compliance to sustainably protect your data and your organization.

Request a free consultation today!

aipd
aipd lexagone min

Our GDPR experts carry out your DPIA using the EBIOS RM method

Since 2018, Lexagone has carried out DPIAs for innovative processing operations, some of which have been submitted to the CNIL as an external DPO or GDPR consulting firm.

These assignments have enabled our GDPR experts to identify the CNIL’s requirements very early on and to test the EBIOS Risk Manager method.

Thus, for the completion of your DPIAs, we work closely with the business lines, the RSSI and the information systems department (DSI) in order to map very precisely the technical and organizational aspects of the risky processing in order to assess the seriousness and likelihood of the feared events.

Are DPIAs mandatory?

DPIAs are mandatory for any processing of personal data that presents a high risk to the rights and freedoms of the persons concerned.

The CNIL has established the list of types of processing operations for which it is mandatory to carry out a DPIA. Here is an extract from the list:

“Health” treatments implemented by healthcare establishments (hospitals, university hospitals, clinics, etc.)
Processing aimed at facilitating recruitment, in particular through a selection algorithm
Treatments for detecting and managing “high potentials”
CCTV of a warehouse storing valuable goods where handlers work
Whistleblowing system
Mobile applications that collect users’ geolocation data

DPIAs are also mandatory for processing operations that include at least two of the nine criteria from the G29 guidelines:

  • Evaluation or scoring (including profiling).
  • Automatic decision with legal or similar effect.
  • Systematic monitoring.
  • Collection of sensitive data or highly personal data.
  • Collection of personal data on a large scale.
  • Data cross-referencing.
  • Vulnerable persons (patients, elderly people, children, etc.).
  • Innovative use (use of new technology).
  • Exclusion of the benefit of a right or contract.
aipd pia lexagone min

OUR REFERENCES

iess.2023 min
efs.2025 min min
fcj copie min
aphm.2025 min
3251cee7 4bd7 4c06 866a 800e2619822d min
smatis min min

Client testimonials: our approach to DPIA missions

The public interest group "Innovation e-Santé Sud" carrying out the mission of supporting the development of e-health in the PACA region, selected the Lexagone firm to carry out its GDPR maturity audit and the PIA of its regional health portal. This choice was motivated by the experience of consultants specializing in the fields of health and cybersecurity. We were thus supported by a multidisciplinary, organized, efficient and caring team that was able to successfully carry out its service, in close collaboration with our employees.

Tatiana RAKLegal Officer and DPO of GIP ieSS

The Hospital Center where I am the CIO, has designated the Lexagone firm as external DPO for all of its establishments (health and medico-social) with the CNIL.
Their team of specialized consultants set up our GDPR governance alongside the DSI in close collaboration with the business referents and the RSSI.
Thanks to their organization, their availability and their pedagogy, Lexagone consultants were able to successfully carry out all the missions entrusted to them, including the most complex ones such as the DPIA.
I recommend them to you for your GDPR "projects". They will be able to adapt to your requirements while remaining compliant.

Naky La LouzeDirector of Information Systems CH LA FERTE BERNARD

Frequently Asked Questions

What is a data protection impact assessment?

A DPIA is divided into three parts:

  • A precise description of the data processing implemented, detailing precisely its technical and operational aspects.
  • A legal assessment of compliance concerning the purpose, data and retention periods, information and rights of individuals, etc.).
  • A technical assessment of risks related to data security (confidentiality, integrity and availability) with their potential impacts on the privacy of the persons concerned.

The DPIA report must determine the technical and organizational measures necessary to eliminate or mitigate the likelihood of data breach risks occurring and the level of material and moral impact on individuals.

NB: Data Protection Impact Assessment (DPIA), Privacy Impact Assessment (PIA), Data Protection Impact Assessment (DPIA) and PIA (Privacy Impact Assessment) are synonymous terms.

Who should carry out the impact analysis?

The data controller (DC) has the obligation to ensure the compliance of its personal data processing.

If the DC has appointed a data protection officer, it asks for advice and instructs it to ensure the execution of the DPIA.

If a subcontractor is involved in the processing, it must provide its assistance and the information necessary for the completion of the DPIA.

Finally, the data controller should also seek the opinion of the persons concerned by the risky processing or, otherwise, justify this non-solicitation.

For your dpia to be complete, the professions (project management) and the persons in charge of information systems security must participate in the process of producing the DPIA and its validation.

Is there a required method for carrying out impact analysis?

As a preliminary step, a DPIA must contain:

  • A detailed description of the processing operations envisaged and the purposes pursued
  • An assessment of the proportionality of the data collected in relation to the purposes of the processing.
  • A risk assessment of the rights and freedoms of the persons concerned.
  • A list of measures envisaged to address the risks of data breaches in order to ensure the protection of personal data and to provide proof of compliance with the GDPR.

To meet these obligations, several methods are possible. Indeed, the data controller is free to choose it, but whatever the method chosen, it must comply with the criteria defined in Appendix 2 of the G29 guidelines.

However, for the sake of efficiency and pragmatism, it is strongly recommended to use the EBIOS Rick Manager method chosen by the CNIL and ANSSI, which Lexagone also uses.

Let's talk about your compliance


Contact Information

Mail : contact@lexagone.fr
Phone : +33 (0)972 169 310

Lexagone is present at:

  • Biarritz
  • Bordeaux
  • Grenoble
  • Lille
  • Lyon
  • Marseille
  • Montpellier
  • Nantes
  • Paris
  • Toulon
lexagone logo

Our GDPR consulting firm offers external DPO services managed by teams of specialized legal experts to ensure controlled GDPR governance.

Member of

afcdp min
logo apssis h100 min
club decision dsi min

Referenced by

logo caih 400 copie 0 0 1 min
53a58cfd 2d9c 4a08 84ac f80456cd147b
logo csirt blue
logo footer@2x