• There are no suggestions because the search field is empty.
Open search


The Data Protection Impact Assessment (DPIA) assesses the personal data processing activities, the risks related to the processing and the means of managing them, as well as the implementation of the processing principles in accordance with the General Data Protection Regulation.

DPIA is an excellent tool for ensuring that personal data is processed lawfully and that the risks associated with the processing are properly managed. Comprehensive impact assessment is essential for ensuring data protection accountability.

Benefits of an impact assessment

We carry out Data Protection Impact Assessments (DPIA) from the perspective of systems and services as well as processing processes. For example, a new information system or the processing of health data may be assessed. Initiated as early as possible in application development, DPIA is an effective way to ensure that the principles of data protection by design and by default are met.

As a result of DPIA, you will receive an independent and comprehensive assessment of the current state and development targets of data protection, as well as a concrete risk list and prioritised recommendations to mitigate the risks. With the help of the impact assessment, it is also easy to show customers and partners how data protection has been ensured. Insta's workshop-based DPIA service also serves as a good training opportunity for your organisation's employees participating in the impact assessment.

When should I do an impact assessment?

The Data Protection Regulation requires an impact assessment where the processing is likely to result in a high risk to the rights and freedoms of data subjects. In the assessment of risks, it is important, among other things, to determine the purpose of processing and the nature of the data being processed, the scope and context of the processing, the number of data subjects and the technology used.

The DPIA is mandatory, for example, when personal data belonging to special categories of personal data (such as health data) are processed on a large scale or when the processing involves profiling or other similar assessment and automated decision-making.

An impact assessment is also necessary, for example, for the systematic monitoring of public spaces. In Finland, an impact assessment is also required in connection with whistleblowing systems and in certain situations when, for example, location data is processed.

More Information:

Jyrki Nivala

Jyrki Nivala

Contact Us