Data Protection Impact Assessments (DPIA): When and How
A Data Protection Impact Assessment (DPIA) is a structured process for identifying and minimizing data protection risks in new projects or processing activities. GDPR requires DPIAs for certain high-risk processing, and they represent good practice more broadly for managing privacy risk.
Key Takeaways
| Point | Summary |
|---|---|
| When required | Mandatory for processing likely to result in high risk to individuals |
| Specific triggers | Automated decision-making, large-scale special category data, systematic monitoring |
| Purpose | Identify and mitigate privacy risks before processing begins |
| Documentation | Must document assessment, risks identified, and measures taken |
| DPA consultation | May need to consult supervisory authority if residual risks remain high |
Quick Answer: A DPIA is required when processing is likely to result in high risk to individuals, particularly for automated profiling, large-scale sensitive data, or systematic monitoring. Conduct DPIAs before processing begins to identify and address risks.
When is a DPIA Required?
Mandatory DPIA Triggers
GDPR Article 35 mandates DPIAs when processing is "likely to result in a high risk to the rights and freedoms of natural persons." Three specific scenarios always require a DPIA:
| Trigger | Description |
|---|---|
| Automated decision-making | Systematic and extensive evaluation of individuals based on automated processing, including profiling, that produces legal or similarly significant effects |
| Large-scale special category data | Processing special category data (health, biometrics, race, etc.) or criminal conviction data on a large scale |
| Systematic monitoring | Systematic monitoring of publicly accessible areas on a large scale |
Additional High-Risk Indicators
The European Data Protection Board (EDPB) has identified additional criteria. Processing that involves two or more of these criteria generally requires a DPIA:
| Criterion | Example |
|---|---|
| Evaluation or scoring | Credit scoring, behavioral profiling, health assessments |
| Automated decision-making | Algorithmic decisions affecting service access |
| Systematic monitoring | Tracking location, behavior, or activities |
| Sensitive data | Health records, biometrics, financial data |
| Large scale | Processing affecting many individuals |
| Matching or combining | Combining datasets from different sources |
| Vulnerable subjects | Processing children's data, employee data |
| Innovative technology | New technologies with unknown privacy implications |
| Preventing rights exercise | Processing that could block individuals from services |
National DPA Requirements
Many national data protection authorities publish lists of processing activities that specifically require DPIAs in their jurisdiction. Organizations should check relevant DPA guidance for their operating locations.
When a DPIA Is Not Required
A DPIA is not required when:
- Processing is unlikely to result in high risk to individuals
- A very similar DPIA has already been conducted for similar processing
- Processing has a legal basis in law that already required impact assessment
- Processing is on national DPA "whitelist" (where available)
DPIA Process
Step 1: Describe the Processing
Document the proposed processing clearly:
| Element | Description |
|---|---|
| Nature | What operations will be performed on personal data? |
| Scope | What data, how much, how long, how many people affected? |
| Context | Internal/external factors, relationship with data subjects |
| Purposes | Why is this processing taking place? What will it achieve? |
Step 2: Assess Necessity and Proportionality
Evaluate whether the processing is necessary and proportionate:
| Question | Consideration |
|---|---|
| Is there a lawful basis? | Which legal basis applies? Is it appropriate? |
| Is processing necessary? | Could the purpose be achieved with less data or less intrusive means? |
| Is data minimized? | Is only necessary data being processed? |
| How long is data kept? | Are retention periods appropriate and justified? |
| Is data accurate? | Are there mechanisms to ensure accuracy? |
| Are individuals informed? | Is the privacy policy adequate? |
| Can rights be exercised? | Are processes in place for access, erasure, etc.? |
Step 3: Identify and Assess Risks
Consider risks to individuals' rights and freedoms:
Risk Categories:
| Risk Type | Examples |
|---|---|
| Physical harm | Safety risks from data exposure |
| Material harm | Financial loss, identity theft |
| Non-material harm | Distress, reputational damage, discrimination |
| Loss of control | Individuals losing control over their data |
| Limitation of rights | Being denied services, surveillance |
Risk Assessment Matrix:
| Likelihood/Severity | Low | Medium | High |
|---|---|---|---|
| Low | Low Risk | Low Risk | Medium Risk |
| Medium | Low Risk | Medium Risk | High Risk |
| High | Medium Risk | High Risk | High Risk |
Step 4: Identify Measures to Mitigate Risk
For each risk identified, determine appropriate measures:
| Measure Type | Examples |
|---|---|
| Technical | Encryption, access controls, pseudonymization, anonymization |
| Organizational | Policies, training, audits, limited access |
| Legal | Contracts, consent mechanisms, privacy notices |
| Process | Data minimization, retention limits, accuracy checks |
Step 5: Document and Review
Document the DPIA including:
- Description of processing
- Necessity and proportionality assessment
- Risks identified and their assessment
- Measures to address risks
- Any residual risks and why they are acceptable
- Sign-off from appropriate stakeholders
DPIA Template Structure
A typical DPIA document includes:
Section 1: Processing Overview
| Field | Content |
|---|---|
| Project name | Name of the processing activity or project |
| Data controller | Organization responsible |
| DPO consultation | Confirmation that DPO was consulted |
| Purpose | Why processing is being undertaken |
| Legal basis | Which GDPR legal basis applies |
| Data subjects | Categories of individuals affected |
| Data categories | Types of personal data processed |
| Recipients | Who will receive the data |
| Retention | How long data will be kept |
| International transfers | Any transfers outside EEA |
Section 2: Necessity Assessment
| Question | Response |
|---|---|
| Is processing necessary for stated purpose? | |
| Could purpose be achieved another way? | |
| Is amount of data proportionate? | |
| Are retention periods justified? | |
| Are appropriate safeguards in place? |
Section 3: Risk Assessment
| Risk | Likelihood | Severity | Overall Risk |
|---|---|---|---|
| [Describe risk 1] | Low/Medium/High | Low/Medium/High | Low/Medium/High |
| [Describe risk 2] |
Section 4: Risk Mitigation
| Risk | Mitigation Measure | Residual Risk |
|---|---|---|
| [Risk 1] | [Measure taken] | [Remaining risk level] |
| [Risk 2] |
Section 5: Sign-Off
| Role | Name | Date | Signature |
|---|---|---|---|
| Project Lead | |||
| DPO | |||
| Senior Management |
When to Consult the Supervisory Authority
If residual risks remain high after mitigation measures (meaning you cannot sufficiently reduce the risk through reasonable measures), GDPR requires consultation with the supervisory authority before proceeding.
Prior consultation process:
- Submit DPIA to supervisory authority
- Include detailed information about processing and measures taken
- Authority has 8 weeks to respond (extendable by 6 weeks)
- Authority may provide advice, require changes, or prohibit processing
In practice, prior consultation is relatively rare. Most organizations can reduce risks to acceptable levels through appropriate measures.
Integrating DPIAs into Operations
When to Conduct DPIAs
Conduct DPIAs early (before processing begins) when:
| Trigger | Action |
|---|---|
| New product or feature | DPIA during design phase |
| New vendor with data access | DPIA before onboarding |
| Entering new market | DPIA for new processing contexts |
| Technology change | DPIA if processing changes significantly |
| Regulatory change | Review existing DPIAs for continued validity |
DPIA in Development Lifecycle
Integrating DPIAs into product development:
Phase 1: Planning
- Identify if DPIA is required
- Begin DPIA process alongside requirements gathering
Phase 2: Design
- Complete DPIA during technical design
- Incorporate mitigation measures into specifications
Phase 3: Development
- Implement measures identified in DPIA
- Update DPIA if design changes
Phase 4: Launch
- Confirm all DPIA measures are implemented
- Obtain sign-off before go-live
Phase 5: Ongoing
- Review DPIA periodically
- Update if processing changes materially
Common DPIA Scenarios
Scenario 1: Employee Monitoring
| Element | Consideration |
|---|---|
| Trigger | Systematic monitoring, vulnerable subjects (employees) |
| Key risks | Privacy intrusion, chilling effect, discrimination |
| Typical measures | Clear policy, proportionate scope, transparency, limited retention |
Scenario 2: AI/ML on Personal Data
| Element | Consideration |
|---|---|
| Trigger | Automated decision-making, evaluation/scoring, innovative technology |
| Key risks | Unfair decisions, lack of transparency, bias |
| Typical measures | Human oversight, explainability, bias testing, accuracy monitoring |
Scenario 3: Health Data Processing
| Element | Consideration |
|---|---|
| Trigger | Special category data, potentially large scale |
| Key risks | Discrimination, unauthorized access, psychological harm |
| Typical measures | Strong encryption, strict access controls, pseudonymization, enhanced consent |
Scenario 4: Customer Profiling
| Element | Consideration |
|---|---|
| Trigger | Evaluation/scoring, potentially automated decisions |
| Key risks | Unfair treatment, unexpected uses, loss of control |
| Typical measures | Transparency, opt-out mechanisms, human review, limited profiling scope |
Common Mistakes
| Mistake | Better Approach |
|---|---|
| Conducting DPIA after launch | Begin DPIA during planning/design |
| Treating DPIA as checkbox exercise | Engage genuinely with risks |
| Only considering data breach risk | Consider full range of harms |
| Not involving DPO | Consult DPO throughout |
| Not reviewing DPIAs | Review when processing changes |
| Generic risk assessments | Assess specific risks to your processing |
How Bastion Helps
DPIAs require balancing legal requirements, technical considerations, and practical business needs. Working with experienced partners helps ensure DPIAs are thorough without becoming obstacles to legitimate processing.
| Challenge | How We Help |
|---|---|
| DPIA Triggers | Guidance on when DPIAs are required for your processing activities |
| Risk Identification | Support identifying relevant risks based on your specific context |
| Mitigation Measures | Recommendations for practical, effective risk mitigation |
| Documentation | Templates and support for creating comprehensive DPIA records |
| Process Integration | Help embedding DPIA requirements into your development lifecycle |
| Review and Updates | Periodic review of existing DPIAs as processing evolves |
Getting DPIAs right helps organizations move forward confidently with new initiatives while demonstrating accountability, avoiding both the paralysis of over-caution and the risks of under-assessment.
Questions about when or how to conduct DPIAs? Talk to our team →
Sources
- GDPR Article 35 (EUR-Lex) - Official DPIA requirements
- EDPB Guidelines on DPIA - WP29/EDPB guidance on DPIAs
- ICO DPIA Guidance - UK Information Commissioner guidance