On EU’s Data Protection Impact Assessment System and Its Reference to China

Purpose/Significance The Data Protection Impact Assessment (DPIA) system created by the EU General Data Protection Regulation (GDPR) is of great significance to data risk prevention and control. Learning from the EU’s DPIA system can help China’s enterprise data compliance, the protection of important data, and the construction of data security risk assessment standards. Design/Methodology Firstly, by sorting out the evolution background and theoretical foundation of DPIA system, we comprehensively analyze the application scenario, assessment process, protection model and punishment mechanism of EU DPIA system. Secondly, by sorting out relevant cases, the necessity of establishing data impact assessment system in China at the factual level and normative level is analyzed. Then, comparing the similarities and differences between China’s personal information security impact assessment (PISIA) system and the EU DPIA system in terms of application stages, assessment objectives, assessment products and other relevant regulations, it can be seen that the former focuses on the analysis of the impact dimension of data subjects that will be affected by personal information data leakage, while the latter focuses on the analysis of the dimension of data subjects’ rights and interests protection. Finally, with a problem-oriented approach, relevant suggestions are made for the establishment of the data protection impact assessment system in China. Conclusions/Findings Improving the development of data security risk assessment standards, enhancing the quality and effectiveness of data security risk assessment, and building a comprehensive data supervision system are not only necessary for building a rule-of-law data security risk assessment system, but also an urgent need for China’s economy to realize digital transformation and build a data security guarantee governance system.