Skip to content

When is a DPIA required, and what goes in one?

7 min read

A DPIA is required under GDPR Article 35 when processing is likely to result in a high risk to individuals — in particular for systematic and extensive automated evaluation or profiling, large-scale processing of special-category data, or large-scale systematic monitoring of a publicly accessible area. Regulators treat meeting two of nine criteria as the working threshold.

A data protection impact assessment is not paperwork you produce after the fact to justify a decision already made. It is a design-stage exercise, and its whole value lies in being done early enough that the answer can still change what you build.

Done late, it is a formality. Done on time, it occasionally kills a feature — which is the point.

When it is mandatory

Article 35 requires a DPIA where processing is likely to result in a high risk to the rights and freedoms of individuals, and specifically calls out three cases:

  • Systematic and extensive evaluation based on automated processing, including profiling, on which decisions with legal or similarly significant effects are based
  • Large-scale processing of special-category data or criminal-conviction data
  • Large-scale systematic monitoring of a publicly accessible area

Because "high risk" is vague, regulators published nine criteria. The working rule most supervisory authorities apply: if processing meets two or more, do a DPIA.

  1. Evaluation or scoring, including profiling and prediction
  2. Automated decision-making with legal or similar significant effect
  3. Systematic monitoring
  4. Sensitive data or data of a highly personal nature
  5. Data processed on a large scale
  6. Matching or combining datasets
  7. Data concerning vulnerable data subjects (children, employees, patients)
  8. Innovative use or applying new technological or organisational solutions
  9. Processing that prevents data subjects from exercising a right or using a service

Read criterion 8 carefully. "Innovative use of new technology" is exactly where most AI features land — and criterion 1 catches scoring and prediction. A new AI feature that scores users is two criteria on its own.

What has to be in it

Article 35(7) sets the minimum:

  • a systematic description of the processing, its purposes, and the legitimate interest pursued
  • an assessment of the necessity and proportionality of the processing relative to the purpose
  • an assessment of the risks to the rights and freedoms of data subjects
  • the measures envisaged to address those risks — safeguards, security measures, and mechanisms to demonstrate compliance

The second one is the one teams skip, and it is the one that does the work. Necessity and proportionality asks: could you achieve the same purpose with less data, less intrusion, or a shorter retention? If the answer is yes and you did not, the DPIA has just told you the processing is unlawful — and writing it down anyway is worse than not having asked.

What happens if the risk stays high

This is the part almost nobody knows.

If, after all your mitigations, the residual risk is still high, Article 36 requires you to consult the supervisory authority before you start processing. Not notify. Consult — and wait.

The regulator has up to eight weeks to respond, extendable by six. Which means that for a feature in this category, prior consultation is not a compliance formality; it is a release blocker with a multi-month lead time, and it needs to be on the roadmap rather than discovered a fortnight before launch.

The correct response to a high residual risk is usually to change the design until the risk is no longer high.

Making it survivable

Three things separate a DPIA process that works from one that becomes theatre:

Trigger it from the product process, not the compliance calendar. A DPIA should be raised when a feature is specified, not when someone remembers. If it is not in the definition-of-ready, it will be done retrospectively and be worthless.

Connect it to the risk register. The risks a DPIA surfaces do not vanish when the document is signed. They become live risks with owners, mitigations, and residual ratings that someone has to accept.

Write down what you decided not to do. The rejected, more intrusive design is evidence of proportionality — and it is the single most useful thing to have when a regulator asks why you built it this way.

Skipping a required DPIA is itself an infringement, and it is easy for a regulator to prove: the feature exists, the assessment does not.

Frequently asked questions

The controller is responsible, and must seek the advice of the DPO where one is appointed. In practice it is completed by the product or system owner with privacy input — the person who knows what the system actually does — rather than written by compliance in isolation.

No. Only where processing is likely to result in a high risk. The working test used by most supervisory authorities is whether the processing meets two or more of the nine criteria — profiling, automated decisions, monitoring, sensitive data, large scale, data matching, vulnerable subjects, innovative technology, or blocking a right.

Article 36 requires you to consult the supervisory authority before starting the processing, and to wait for its response — up to eight weeks, extendable by six. In most cases the better answer is to redesign the processing until the residual risk is no longer high.

Frequently, yes. AI features often meet criterion 8 (innovative use of new technology) and criterion 1 (evaluation or scoring) simultaneously — which is two of the nine, and therefore the working threshold for a mandatory DPIA.

Risk Register

See how RegRely turns this into a repeatable, evidenced workflow.

Explore Risk Register