Of the following options which is NOT a purpose of carrying out a Data Protection Impact Assessment (DPIA)?

Of the following options which is NOT a purpose of carrying out a Data Protection Impact Assessment (DPIA)?
A . It is necessary to fulfil the requirement that all DPIAs are submitted to the ICO
B . It is key to the accountability element of the GDPR.
C . It fulfils a requirement that data protection is carried out by design and default.
D . It assists in identifying the main risks that may exist in any use of data, so that they can be mitigated

View Answer

Answer: A

Explanation:

A DPIA is not required to fulfil the requirement that all DPIAs are submitted to the ICO, because this is not a requirement under the GDPR. The GDPR only requires that the controller consults the ICO before carrying out processing that is likely to result in a high risk to individuals, if the controller cannot mitigate that risk. This means that not all DPIAs need to be submitted to the ICO, only those that identify a high residual risk that cannot be reduced. The other options are valid purposes of carrying out a DPIA, as they help the controller to comply with the GDPR, ensure data protection by design and by default, and identify and mitigate the main risks to individuals’ rights and freedoms.

Reference: Article 35 and 36 of the GDPR3

ICO guidance on DPIAs5