Data Protection Impact Assessment (DPIA) 

The GDPR  requires you to carry out a data protection impact assessment (DPIA) if the processing of personal data could have significant adverse effects for individuals.

A DPIA is a detailed risk assessment that must comply with specific requirements outlined in Article 35 GDPR.

When should you conduct a DPIA?

You must conduct a DPIA if your data processing is likely to result in a high risk to individuals' rights and freedoms. Such risks include physical or financial harm, or serious impacts on privacy.

Using new technology (such as iris scanning or artificial intelligence) could require a DPIA. However, simply implementing a new IT system does not automatically mean you're using new technology.

Three situations where a DPIA is mandatory

In accordance with Article 35(3) GDPR, you must always conduct a DPIA in these scenarios:

1. Automated decision-making 

When a systematic and extensive evaluation of personal details is carried out using technology to automatically process information and make decisions about individuals, a DPIA must always be conducted.

For example, a football club checks fans for possible security risks before a major match by comparing ticket buyers against publicly available data. This process might lead to someone being denied entry, even if they have already bought a ticket. This potential impact means that a DPIA is required.

2. Extensive use of sensitive personal data or criminal records

If you process  large amounts of sensitive personal data or data related to criminal offenses, you must conduct a DPIA.

In this context, "large amounts" can be assessed by considering the number of people affected, the volume of data, the duration of processing and the geographical scope of the processing.

For example, a national platform for patient records processes sensitive personal data across a broad geographical area and over an extended period. A DPIA is required due to the scale and sensitivity of the data.

3. Extensive public area surveillance

If your organisation carries out large-scale surveillance of public spaces using video cameras, for example, you must conduct a DPIA.

Surveillance has a significant impact on privacy because people may find it difficult to avoid being monitored or to control how their data is used.

How to conduct a DPIA

A DPIA is essentially a risk assessment, but it must meet specific GDPR requirements in terms of how it is conducted. In accordance with Article 35(7) GDPR, a DPIA must include at least the following elements:

• Clearly outline what data is being processed, how it is being collected, stored, used and shared, and the reasons for processing.

• Evaluate whether the data processing is essential to achieve its purpose and if there are less intrusive alternatives.

• Identify potential risks, such as unauthorised access, data breaches or negative impacts on individuals.

• Describe how you will reduce or manage the risks, which may include implementing technical security measures (encryption, access controls) or organisational measures (policies, staff awareness training).

Below is a step-by-step approach outlining how to conduct a DPIA in compliance with these requirements.

Describe your data processing

When conducting a DPIA, the first step is to clearly describe the processing activity  that the assessment covers. This description should be similar to the information recorded in your records of processing activities:

1. Clearly describe why the DPIA is necessary, what the processing aims to achieve and which business processes it supports.

2. Identify the types of data being processed, where it comes from, the purpose of the processing and how long the data is stored.

3. Determine who the data concerns, including whether it involves vulnerable groups such as children or patients.

4. Describe the technology used for processing personal data.

5. Explain how the processing impacts the individuals involved and society as a whole.

6. Specify if data is shared with third parties  and provide details on how this is managed.

Evaluate the legality

Once you have described the processing activity, you must assess the lawfulness of the processing:

1. Determine the legal basis of the processing.

2. Assess whether the purpose is clear and reasonable and if the processing is necessary and appropriate.

3. Explain how data accuracy is ensured and how data is deleted in a timely manner.

4. Describe the security measures in place and how potential security breaches are managed.

5. Outline how the rights of data subjects  are handled.

6. Identify any data processors  involved and whether data is transferred outside the EU.

Evaluate risk likelihood and severity

After assessing the lawfulness of the processing, you should evaluate the risk to individuals' rights and freedoms. These risks are determined by assessing possible incidents with negative consequences for data subjects, such as:

• Identity theft

• Financial loss

• Damage to reputation

• Discrimination

• Loss of confidential data

The level of risk is determined by the likelihood of these incidents occurring and the potential negative consequences if an incident were to occur.

Involvement of your data protection officer

If your company has appointed a data protection officer, they must always be involved in preparing the DPIA.

Stakeholder engagement

When deemed relevant and appropriate, you should also involve the data subjects in the DPIA. This can be done, for example, by consulting interest groups for their assessment of the DPIA’s content.

Risk reduction

If the DPIA identifies a high risk, you must also explain how this risk will be mitigated. This could involve strengthening data security, adjusting workflows or restricting access to data. Clearly outline the measures to be implemented, who is responsible for them and the timeline for their completion.

Involvement of the supervisory authority

If your DPIA shows that the processing still involves a high risk for data subjects even after implementing organisational and technical measures, you must consult the supervisory authority  before proceeding with the processing.

When submitting a consultation request to the supervisory authority, you must include the following information:

• A clear description of the division of responsibilities between the data controller, data processors  and any joint controllers .

• The purpose of the processing and how it is carried out in practice.

• The protective measures in place.

• The contact details of the data protection officer.

• The DPIA itself.

Update the DPIA

The DPIA should be regularly reviewed and updated, especially if there any changes in the processing of personal data that could alter the risk landscape.

DPIA template

Conducting a DPIA is a significant responsibility because it impacts an organisation’s operations and planning. If you are tasked with carrying out a DPIA, you can use the template provided by the supervisory authority as a starting point.

DPIAs and artificial intelligence

If your DPIA involves the use of artificial intelligence, you should also review the AI Act, which governs how AI can be applied, especially in cases where the technology introduces new and significant risks that require special attention.

Further reading

You can find more information about DPIAs in the following sources:

• The supervisory authority’s list of activities that require a DPIA.

• The Article 29 Working Party’s list of activities requiring a DPIA (WP248 rev. 01).

• The supervisory authority’s guideline on conducting a DPIA.