How to Conduct a GDPR Privacy Impact Assessment (DPIA)
Quick Answer
A Data Protection Impact Assessment (DPIA) is a process required under GDPR Article 35 to identify and minimize privacy risks of data processing activities that are likely to result in high risk to individuals' rights and freedoms.
What Is a DPIA?
A Data Protection Impact Assessment (DPIA) is a systematic process required by GDPR Article 35 to assess the necessity and proportionality of data processing activities, evaluate risks to individuals, and identify measures to mitigate those risks. It's mandatory for processing that is likely to result in high risk to individuals.
Key Takeaways
- Required for processing likely to result in high risk to individuals' rights and freedoms
- Must be conducted BEFORE the processing begins — not after
- Three mandatory DPIA triggers: automated decision-making, large-scale special data, systematic public monitoring
- The DPO must be consulted during the DPIA process
- If high risk remains after mitigation, you must consult the supervisory authority before processing
When Is a DPIA Required?
| Trigger | Examples | Always Required? |
|---|---|---|
| Systematic and extensive profiling with significant effects | Credit scoring, automated recruitment screening, behavioral advertising targeting | Yes (Article 35(3)(a)) |
| Large-scale processing of special category data | Health data processing by hospitals, biometric authentication systems | Yes (Article 35(3)(b)) |
| Systematic monitoring of publicly accessible areas | CCTV with facial recognition, public WiFi tracking | Yes (Article 35(3)(c)) |
| New technologies with unknown risk profiles | AI/ML processing personal data, IoT devices, blockchain identity | Likely yes |
| Large-scale profiling or tracking | Customer behavior analytics, location tracking at scale | Likely yes |
| Combining datasets from different sources | Data enrichment, matching datasets, cross-platform profiling | Likely yes |
DPIA Process Step-by-Step
Conducting a DPIA
Describe the processing
Document what data is collected, how it's processed, by whom, for how long, and through what systems. Include data flows, storage locations, and recipients.
Assess necessity and proportionality
Is this processing necessary for the stated purpose? Could you achieve the same goal with less data or less intrusive methods? Document your justification.
Identify and assess risks
What risks does this processing pose to individuals? Consider: unauthorized access, data loss, discrimination, financial harm, reputational damage, loss of confidentiality.
Identify mitigation measures
For each identified risk, determine what controls will reduce it: encryption, access controls, anonymization, data minimization, consent mechanisms, etc.
Consult the DPO
Your Data Protection Officer (if you have one) must be consulted during the DPIA. Document their input and recommendations.
Document the assessment
Create a formal DPIA report documenting all of the above. This document may be requested by supervisory authorities.
Consult the supervisory authority (if needed)
If high risk remains after mitigation measures, you must consult your supervisory authority before proceeding with the processing.
DPIA Documentation Requirements
What a DPIA Must Include (Article 35(7))
- Systematic description of the processing operations and purposes
- Assessment of necessity and proportionality in relation to the purposes
- Assessment of risks to rights and freedoms of data subjects
- Measures envisaged to address risks, including safeguards and mechanisms
ℹ️ DPIA Is Not a One-Time Exercise
DPIAs should be reviewed and updated whenever the nature, scope, context, or purposes of processing change significantly. Introducing new technology, expanding to new markets, or changing data flows should all trigger a DPIA review.
DPIA Decision Flow
Determine whether a DPIA is needed and what to do with the results
New Processing Activity
Planning a new data processing operation
Screening Assessment
Does it involve high-risk processing triggers?
Conduct Full DPIA
If yes: assess risks, identify mitigations
Residual Risk Assessment
Is remaining risk acceptable?
Consult DPA (if high risk)
If residual risk is high, consult authority before processing
What happens if I don't do a required DPIA?
Failure to conduct a required DPIA is a GDPR violation subject to fines of up to EUR 10 million or 2% of global annual revenue. It also means you may be processing data without understanding the risks, which increases your exposure to other violations.
Can I do a DPIA after processing has started?
Technically, DPIAs should be conducted before processing begins. However, if you've already started processing without a DPIA, conduct one as soon as possible. It's better to assess risks late than never, and it demonstrates good faith compliance efforts.
How long does a DPIA take?
Simple DPIAs for straightforward processing can be completed in 1-2 weeks. Complex DPIAs involving new technologies, large-scale processing, or multiple stakeholders can take 4-8 weeks. Using templates and compliance tools can significantly reduce the time.
Does every new feature need a DPIA?
Not necessarily. Conduct a screening assessment for each new feature that involves personal data. If it meets the high-risk criteria, a full DPIA is needed. For lower-risk features, document why a DPIA wasn't required.
Streamline Your DPIA Process
Find compliance tools with DPIA templates, risk assessment modules, and documentation management.
Browse GDPR Tools