GDPR Data Protection Impact Assessments: When and How
Data Protection Impact Assessments (DPIAs) are a cornerstone of GDPR compliance and operational risk management. Under GDPR Article 35, organizations must conduct a DPIA for processing that is likely to result in high risk to the rights and freedoms of data subjects. Yet many compliance teams struggle with the practical threshold questions: when exactly must we perform one, and what should it contain?
This guidance addresses the core requirements and provides a framework for determining DPIA necessity, structuring your assessment, and managing the output effectively.
When a DPIA is Mandatory
GDPR Article 35(1) establishes that a DPIA is required where processing uses new technologies and is "of a type that, by virtue of its nature, scope, data categories or purposes, is likely to result in a high risk to the rights and freedoms of natural persons." This language is intentionally broad, requiring contextual judgment rather than a simple checklist.
The European Data Protection Board (EDPB) has identified specific scenarios triggering DPIA requirements, including: large-scale systematic monitoring; automated decision-making with legal or similarly significant effects; biometric processing for identification; genetic data processing; large-scale processing of special category data; and activities involving data matching or merging from different sources. However, these are examples, not an exhaustive list.
In practice, your compliance team should apply this three-part test: (1) Is the processing novel or using new technology? (2) Does it involve special category data, children's data, or systematic monitoring? (3) Could it materially impact individual rights, create discrimination risks, or result in loss of control over personal data? If you answer yes to any combination of these factors, a DPIA is prudent.
Many organizations adopt a conservative approach: if there is reasonable doubt, conduct the assessment. The cost of a thorough DPIA is typically lower than the cost of regulatory findings or remediation after the fact.
Structuring Your DPIA
Under GDPR Article 35(7), your DPIA must contain: (a) a description of the processing operations, including purposes and legitimacy basis; (b) an assessment of necessity and proportionality; (c) an evaluation of risks to data subject rights and freedoms; and (d) the mitigation measures and safeguards you will implement.
Begin with a clear processing description. Document what data you collect, from whom, how long you retain it, who can access it, and where it is stored or transferred. Include the technical and organizational architecture. This foundation is essential; vague or incomplete descriptions undermine the entire assessment.
Next, evaluate necessity and proportionality. Ask: Is this processing genuinely necessary to achieve the stated purpose? Could you achieve the same goal with less invasive means? Have you applied data minimization principles under GDPR Article 5(1)(c)? For example, if you seek to improve customer service quality, do you truly need to retain call recordings for five years, or would six months achieve the objective?
The risk analysis is the intellectual core of your DPIA. Identify risks across multiple dimensions: privacy risks (unauthorized access, loss of confidentiality), autonomy risks (automated decisions that limit choices), and discrimination risks (biased algorithms affecting protected characteristics). For each risk, assess likelihood and severity. A risk matrix is helpful: plot each risk on axes of likelihood (low to high) and impact (low to high). This forces explicit prioritization.
Finally, document your mitigation measures. These should be specific and verifiable. Instead of "implement strong security," state: "encrypt data in transit using TLS 1.2 or higher; encrypt data at rest using AES-256; perform annual penetration testing." Link each mitigation to a specific identified risk. This demonstrates that your controls are risk-proportionate, not generic.
Consultation and Documentation
GDPR Article 36 requires you to consult your Data Protection Officer (DPO) before implementing high-risk processing, unless you have completed a DPIA demonstrating compliance. If your DPIA identifies residual high risks that cannot be mitigated, you must consult your supervisory authority before proceeding. Many organizations underestimate this requirement; ensure your governance process includes a decision gate after DPIA completion.
Document everything. Your DPIA should be retained and updated as processing evolves. The Article 29 Working Party (now EDPB) guidance emphasizes that DPIAs are living documents, not one-time checkbox exercises. Schedule reviews when: technologies change, data volumes increase significantly, new data categories are added, or regulatory guidance shifts.
Practical Takeaway
Treat your DPIA as strategic risk documentation that serves multiple functions: demonstrating GDPR accountability (Article 5(2)), informing system design decisions, and creating an audit trail for regulators. A well-constructed DPIA reduces enforcement risk and strengthens your privacy by design posture across the organization.