What is a DPIA?

A Data Protection Impact Assessment (DPIA) is a process to help identify and minimize the data protection risks of a project. It is required under Article 35 when processing is likely to result in a high risk to individuals' rights and freedoms.

When is DPIA Required?

Mandatory Under Article 35(3)

  • Systematic and extensive profiling with significant effects on individuals
  • Large-scale processing of special category data or criminal conviction data
  • Systematic monitoring of a publicly accessible area on a large scale

EDPB High-Risk Criteria

A DPIA is likely required if processing meets two or more of these criteria:

  • Evaluation or scoring (profiling, predicting)
  • Automated decision-making with legal/significant effects
  • Systematic monitoring
  • Sensitive data or data of highly personal nature
  • Data processed on a large scale
  • Matching or combining datasets
  • Data concerning vulnerable data subjects
  • Innovative use or applying new technology
  • Processing that prevents data subjects from exercising rights

DPIA Screening

Before conducting a full DPIA, perform screening:

  1. Is this a new processing activity or significant change?
  2. Does it involve personal data?
  3. Does it meet any mandatory DPIA triggers?
  4. Does it meet two or more EDPB criteria?
  5. Is it on the supervisory authority's required list?

Document the screening decision and rationale, whether or not a full DPIA proceeds.

DPIA Content

Article 35(7) requires a DPIA to contain at minimum:

  • Description of processing: Operations, purposes, legitimate interest (if applicable)
  • Necessity and proportionality: Assessment against the purpose
  • Risk assessment: Risks to data subjects' rights and freedoms
  • Measures: Safeguards and measures to address risks

Recommended Additional Content

  • Legal basis and justification
  • Data flows and recipients
  • Retention periods
  • Security measures
  • Data subject rights procedures
  • International transfers and safeguards
  • DPO consultation record
  • Sign-off and review schedule

DPIA Process

Step 1: Describe the Processing

  • What data will be processed?
  • Why is it being processed?
  • How will it be collected, used, stored, shared?
  • Who has access?
  • How long will it be kept?

Step 2: Assess Necessity and Proportionality

  • Is the processing necessary for the stated purpose?
  • Could the purpose be achieved with less data?
  • Is the processing proportionate to the purpose?
  • What is the legal basis?

Step 3: Identify and Assess Risks

  • What could go wrong from the data subject's perspective?
  • What is the likelihood of harm?
  • What is the severity of harm?
  • Rate risks (e.g., high, medium, low)

Step 4: Identify Measures to Mitigate Risks

  • What measures reduce likelihood?
  • What measures reduce severity?
  • Are residual risks acceptable?

Step 5: Sign Off and Review

  • DPO consultation (mandatory if DPO appointed)
  • Senior management approval
  • Define review triggers and schedule

Prior Consultation (Article 36)

If residual risks remain high after applying mitigations, you must consult the supervisory authority before processing begins.

Consultation Requirements

  • Provide DPIA to the authority
  • Provide details of controller, DPO, purposes, data subjects
  • Wait for response (up to 8 weeks, extendable)
Best Practice

Conduct DPIAs early in project design, not after decisions are made. Privacy by design is much easier when DPIA findings can influence project direction.

GDPR DPIA Privacy by Design