Carrying out a data protection impact assessment when necessary

16 October 2023

Creating a dataset for the training of an AI system can lead to high risks to people’s rights and freedoms. In this case, a data protection impact assessment is mandatory. The CNIL explains how, and in which cases, it should be realised.

The Data Protection Impact Assessment (DPIA) is an approach that allows to map and assess the risks of a personal data processing and to establish an action plan to reduce them to an acceptable level. This approach, facilitated by the tools provided by the CNIL, is particularly useful to control the risks associated with a processing before it is implemented, but also to ensure their follow-up over time.

In particular, a DPIA makes it possible to carry out:

  • an identification and a risk assessment for individuals whose data could be collected, by means of an analysis of their likelihood and severity;
  • an analysis of the measures enabling individuals to exercise their rights;
  • an assessment of people’s control over their data;
  • an assessment of the transparency of the data processing for individuals (consent, information, etc.).

The realisation of a DPIA for the development of AI systems

AI Risks to Consider in a DPIA

Actions to be taken on the basis of the results of the DPIA