Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessment (DPIA) under the GDPR

Article 35 GDPR requires a Data Protection Impact Assessment (DPIA) when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is a structured risk assessment that helps organisations identify, evaluate, and mitigate data protection risks before the processing begins.

The DPIA is not a mere formality. It requires genuine analysis and decision-making, and the results must be documented and acted upon. Supervisory authorities regularly check for the existence and quality of DPIAs during investigations.

When Is a DPIA Required? (Art. 35(3))

A DPIA is required in particular for the following types of processing:

• Systematic and extensive evaluation: Automated processing, including profiling, on which decisions are based that produce legal effects or similarly significantly affect individuals.
• Large-scale processing of special categories: Processing of data under Art. 9 (health, biometric, genetic, religious data, etc.) or Art. 10 (criminal convictions) on a large scale.
• Systematic monitoring of public areas: Large-scale, systematic monitoring of publicly accessible areas (e.g. CCTV surveillance).

Additionally, supervisory authorities publish blacklists (Art. 35(4)) that specify additional types of processing requiring a DPIA in their jurisdiction. For example, the German DSK (Data Protection Conference) lists categories such as: processing of location data, use of innovative technologies (e.g. AI), and creation of comprehensive profiles.

When Is a DPIA Not Required?

A DPIA is generally not required when:

• The processing is not likely to result in a high risk to data subjects
• A very similar DPIA has already been carried out for a comparable processing operation
• The processing is on a supervisory authority's whitelist (Art. 35(5))
• The processing has a legal basis in EU or member state law that already included a DPIA during the legislative process

DPIA Process: Step by Step

Step 1: Threshold Assessment

Before conducting a full DPIA, perform a threshold assessment to determine whether the processing actually triggers the DPIA requirement. Document your reasoning regardless of the outcome.

Step 2: Describe the Processing

Provide a systematic description of the processing operations, their purposes, the legitimate interest pursued (if applicable), and an assessment of the necessity and proportionality of the processing in relation to the purposes.

Step 3: Assess the Risks

Identify and evaluate the risks to the rights and freedoms of data subjects. Consider both the likelihood and severity of potential harm. Types of harm include: discrimination, identity theft, financial loss, damage to reputation, loss of confidentiality, and any other significant economic or social disadvantage.

Step 4: Identify Mitigation Measures

Define measures to address the identified risks. These may include technical measures (encryption, pseudonymisation, access controls), organisational measures (policies, training), or changes to the processing itself (data minimisation, shorter retention periods). See our Technical and Organisational Measures guide for details.

Step 5: Consult the DPO

The controller must seek the advice of the Data Protection Officer (where designated) when carrying out the DPIA (Art. 35(2)).

Step 6: Prior Consultation (Art. 36)

If the DPIA indicates that the processing would result in a high risk that cannot be sufficiently mitigated, the controller must consult the supervisory authority before proceeding. The authority has eight weeks to provide written advice (extendable by six weeks for complex cases).

Mandatory DPIA Contents (Art. 35(7))

The assessment must contain at least:

• A systematic description of the processing operations and their purposes, including legitimate interest where applicable
• An assessment of the necessity and proportionality of the processing
• An assessment of the risks to the rights and freedoms of data subjects
• The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure data protection

Common DPIA Triggers: Examples

• Employee monitoring systems: Time tracking, email monitoring, GPS tracking of company vehicles
• AI and machine learning: Automated scoring, credit decisions, fraud detection
• Health data processing: Patient management systems, clinical trials, health apps
• Large-scale profiling: Behavioural advertising, customer segmentation at scale
• Biometric identification: Fingerprint or facial recognition access systems
• Smart city projects: Public Wi-Fi tracking, traffic monitoring with personal data

The DPIA should be reviewed and updated when the nature, scope, context, or purposes of the processing change significantly, or when new risks emerge.