Why It Matters
A DPIA is not just a compliance checkbox — it's a risk management tool that forces organizations to think before they process. Regulators have fined organizations specifically for failing to conduct DPIAs, even when no data breach occurred. With the rise of AI, biometrics, and large-scale profiling, DPIAs are becoming more critical than ever.
When Is a DPIA Required?
Article 35 mandates a DPIA when processing is likely to result in a high risk to individuals. This includes:
- Systematic and extensive profiling with significant effects on individuals
- Large-scale processing of special category data (health, biometrics, criminal records)
- Systematic monitoring of publicly accessible areas (CCTV, Wi-Fi tracking)
- New technologies whose impact is not yet fully understood
- Automated decision-making with legal or similarly significant effects
National supervisory authorities also publish lists of processing activities that require DPIAs.
The DPIA Process
A DPIA must contain at minimum:
- Description of the processing — what data, why, how, and how long
- Assessment of necessity and proportionality — is this processing actually needed? Could you achieve the goal with less data?
- Assessment of risks — what could go wrong for the individuals concerned?
- Measures to address risks — safeguards, security measures, and mechanisms to demonstrate compliance
What Happens If You Skip It
- Fines up to €10 million or 2% of global turnover for failing to conduct a required DPIA
- Processing may need to stop if risks cannot be mitigated
- Prior consultation with the supervisory authority is required if the DPIA shows high residual risk that cannot be mitigated
Key Regulation
- GDPR Article 35 — Data Protection Impact Assessment
- GDPR Article 36 — Prior consultation with supervisory authority
- EDPB Guidelines on DPIAs (WP 248) — detailed process guidance