A data protection impact assessment (DPIA) is a procedure that seeks to identify and control the risks that processing brings to the rights and freedoms of natural persons. DPIAs are also useful instruments in relation to the principle of accountability.
The Regulation establishes the rights that people have regarding the processing of their data (right to information, etc.). When talking about "risks to the rights and freedoms of natural persons", we do not limit ourselves to the rights recognized by the Regulation, but to any effect that the data processing may have on the fundamental rights and freedoms of natural persons: freedom of expression, freedom of thought, prohibition of discrimination, freedom of conscience, freedom of religion, etc.
When identifying risks, we must consider any impact of the data processing on natural persons (physical, economic, emotional, etc.). Some potential impacts are:
Impossibility to access services or other opportunities.
Discrimination.
Theft of identity and other frauds.
Economic losses.
Damage to reputation.
Physical damage.
Loss of confidentiality.
Impossibility to exercise any right.
These impacts can be materialized for two main reasons.
The data processing as it is designed. For example, data processing may thwart the rights and freedoms of a person because the data being processed is particularly sensitive, the people that have access to them, etc.
The loss of data security; in particular, the loss of data confidentiality, integrity or availability.
To control the risks inherent in the data processing, the controller must establish the necessary controls to ensure that the processing is done according to the GDPR. In particular, the controller must ensure that the processing it is necessary and proportional, and that the necessary mechanisms for natural persons to exercise their rights are properly established.
To keep the risks related to data security under control, the controller has to conduct a risk analysis and then propose security controls that are appropriate to the evaluated risk.