GDPR DPIA: When You Need One and How to Write It

A Data Protection Impact Assessment (DPIA) is a structured process for identifying and reducing privacy risks before starting a new processing activity. Under GDPR, completing a DPIA is not optional — Article 35 makes it a legal requirement for certain categories of processing, and supervisory authorities across the EU treat a missing or inadequate DPIA as a serious compliance failure.

This guide explains when a DPIA is required, how to conduct one, what to document, and when you need to consult your supervisory authority.

When Is a DPIA Required

Article 35(1) establishes the core trigger: a DPIA is mandatory where processing is "likely to result in a high risk to the rights and freedoms of natural persons." The obligation applies to new processing and to existing processing where the nature, scope, context, or purposes have changed significantly.

Article 35(3) identifies three processing types that always require a DPIA:

1. Systematic and extensive profiling that produces legal or similarly significant effects — automated decision-making about people's creditworthiness, performance, reliability, or behaviour.
2. Large-scale processing of special category data under Article 9 (health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation) or data relating to criminal convictions under Article 10.
3. Systematic monitoring of a publicly accessible area on a large scale — CCTV surveillance, tracking systems in public spaces.

In addition, each supervisory authority publishes a list of processing operations that require a DPIA in its jurisdiction. The EDPB has issued guidance consolidating common criteria across national lists.

The 8 Criteria: Two or More Triggers a DPIA

The European Data Protection Board (EDPB) has identified eight criteria drawn from Article 35(3) and Recital 91. If your processing meets two or more of these, a DPIA is required:

1. Evaluation or scoring of individuals (profiling, predicting behaviour)
2. Automated decision-making with legal or significant effects
3. Systematic monitoring
4. Processing sensitive data (Article 9 or Article 10)
5. Large-scale processing
6. Matching or combining datasets from different sources
7. Processing data about vulnerable individuals (children, employees, patients)
8. Innovative technology use or novel application of existing technology

A single criterion alone may still trigger a DPIA where the resulting risk is particularly high. The assessment of whether two criteria are met requires honest evaluation — the purpose here is to identify real privacy risks, not to engineer a classification that avoids the obligation.

The DPIA Methodology

A well-structured DPIA follows four stages:

Stage 1: Describe the Processing

Document the processing activity in full: what data is collected, from whom, for what purpose, on what legal basis, how long it is retained, with whom it is shared, and whether data leaves the EEA. This is the foundation — you cannot assess risks you have not understood and described.

Stage 2: Assess Necessity and Proportionality

Evaluate whether the processing is necessary to achieve the stated purpose and whether the same purpose could be achieved with less privacy impact. This stage tests the legal basis under Article 6, the data minimisation principle under Article 5(1)(c), and the purpose limitation principle under Article 5(1)(b). Document why less intrusive alternatives are insufficient.

Stage 3: Identify and Assess Risks

Identify specific risks to data subjects — unauthorised access, incorrect data leading to wrong decisions, re-identification of pseudonymised data, discrimination, financial harm, reputational damage. For each risk, assess its likelihood and severity. This is a qualitative assessment, not a purely technical one: consider what would actually happen to an individual if the risk materialised.

Stage 4: Evaluate Controls and Residual Risk

For each identified risk, document the technical and organisational controls you will implement to mitigate it. Then assess the residual risk after controls are applied. If residual risk remains high — even after controls — you must consult the supervisory authority before proceeding with the processing (Article 36).

What Must Be Documented

Article 35(7) specifies what a DPIA must contain:

• A systematic description of the envisaged processing operations and the purposes, including the legitimate interest pursued by the controller where applicable
• An assessment of the necessity and proportionality of the processing in relation to the purposes
• An assessment of the risks to the rights and freedoms of data subjects
• The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data

Additionally, document: who conducted the DPIA, the DPO's advice (Article 35(2) requires you to seek the DPO's advice where a DPO has been designated), the date of the assessment, and the review schedule.

When to Consult the Supervisory Authority

Article 36(1) requires prior consultation with the supervisory authority where a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate it. This is not a formality — it is a hard-stop requirement before beginning the processing.

Consultation involves providing the supervisory authority with the full DPIA documentation, a description of the respective responsibilities of the controller and any processors, contact details of the DPO, and a summary of the proposed processing. The supervisory authority has up to eight weeks to respond (extendable by six weeks for complex cases). If no response is received within this period, you may proceed.

Common Mistakes

The most frequent DPIA failures seen in supervisory authority guidance and enforcement decisions are: treating the DPIA as a retroactive exercise after processing has already begun (Article 35 requires assessment before processing starts); conducting a superficial risk assessment that names risks without evaluating their likelihood or severity; failing to involve the DPO; omitting the necessity and proportionality assessment; and documenting controls without assessing whether residual risk remains high. A DPIA that reads like a checkbox exercise rather than a genuine risk analysis will not protect an organisation in an enforcement investigation.

---

Last updated: May 2026. For informational purposes only — not legal advice.

Frequently Asked Questions

Which processing activities most commonly require a DPIA in practice?

The most common triggers for DPIAs in commercial organisations are: employee monitoring systems (including productivity software that tracks keystrokes, screen activity, or location); automated credit or insurance underwriting; health or wellness data processing including apps and wearables; large-scale customer profiling for marketing purposes; and any use of biometric data for identification or access control. The combination of special category data with automated decision-making is particularly likely to require a DPIA under both Article 35(3) and the EDPB's eight-criteria approach.

Does a DPIA need to be updated after completion?

Yes. Article 35 requires review of a DPIA "where necessary" and specifically when there is a change in the risk represented by the processing. Best practice is to define a scheduled review cycle — typically annually — and to trigger an immediate review whenever the processing purpose, data types, recipients, technology, or risk profile change materially. The DPIA document should include a version history and record who approved each version. An out-of-date DPIA for processing that has evolved is treated by supervisory authorities as equivalent to no DPIA for the current processing activity.

What happens if a DPIA is not completed when required?

Failure to carry out a DPIA where one is required is itself a violation of GDPR Article 35, separate from any underlying data protection breach. Under Article 83(4), infringements of Article 35 are subject to fines of up to €10 million or 2% of global annual turnover, whichever is higher. Several supervisory authorities — including the Belgian APD and the Danish Datatilsynet — have issued reprimands and fines specifically for the failure to conduct DPIAs before processing began, independent of whether the processing itself caused any harm to data subjects.

Sources

• EUR-Lex, Regulation (EU) 2016/679 (GDPR), Article 35 and Article 36: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
• European Data Protection Board, Guidelines on Data Protection Impact Assessment (WP248 rev.01): https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-wp248_en
• European Data Protection Board, Guidelines on automated individual decision-making and profiling (WP251 rev.01): https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-wp251_en
• ICO (UK), DPIA guidance and template: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/