The statement that is true about the Data Protection Impact Assessment (DPIA) process as required under the General Data Protection Regulation (GDPR) is that the DPIA must include a description of the proposed processing operation and its purpose. According to Article 35(7) of the GDPR, a DPIA shall contain at least:
“a systematic description of the envisaged processing operations and the purposes of the processing”;
“an assessment of the necessity and proportionality of the processing operations in relation to the purposes”;
“an assessment of the risks to the rights and freedoms of data subjects”;
“the measures envisaged to address the risks”;
“safeguards”, “security measures”;
“mechanisms to ensure the protection of personal data”;
“to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned”5
Therefore, a DPIA must include a description of what data processing activities are planned and why they are needed as part of its content. This helps to provide a clear overview of the processing operation and its objectives as well as to assess its necessity and proportionality in relation to its purposes6 References: 5: [General Data Protection Regulation (GDPR) – Official Legal Text], Article 35(7); 6: Data protection impact assessments | ICO
