Data Protection Impact Assessment

The Data Protection Impact Assessment, or DPIA, is another requirement that follows from the GDPR, which states that the data controller shall carry out an assessment of the potential impact of the processing of personal data if such processing is likely to result in a high risk to the rights and freedoms of natural persons. 

Further, the GDPR states that the data processor (Visma in most cases) should assist the controller (you as the customer in most cases) where necessary. To this end, we have created a detailed template for DPIA suitable for a software product, and criteria to determine if a DPIA is needed for a particular product or processing activity. 

The DPIA template is structured as follows.

Description of the processing, such as:

  • Legal basis for processing
  • Scope, duration and nature of the processing
  • Recipients, systems and tools to be used for the processing
  • Compliance with customer contracts


  • Responsible parties
  • Advice of the DPO

Necessity and proportionality

  • Specified, explicit and legitimate purposes for processing
  • Necessity of the processing
  • Data minimisation
  • Storage limitation

Measures contributing to the rights of data subjects

  • Information to data subjects
  • Publication of main findings
  • Right of access, erasure etc., and the right to object
  • Prior consultation

Risk assessment

  • Threats or sources of risk
  • Potential impact to the rights and freedoms of data subjects
  • Risk assessment