Skip to content
Compliance

DPIA

DPIA (Data Protection Impact Assessment) is a mandatory risk analysis process required by Article 35 of GDPR for processing activities likely to result in high risk to the rights and freedoms of natural persons.

What is DPIA?

DPIA (Data Protection Impact Assessment) is a mandatory risk analysis procedure required by Article 35 of GDPR for processing activities likely to result in high risk to the rights and freedoms of natural persons.

DPIA documents: (1) description of processing and its purposes, (2) assessment of necessity and proportionality, (3) risk assessment for data subjects, (4) measures envisaged to address the risks (technical and organizational measures — TOMs).

When is DPIA mandatory?

Art. 35.3 GDPR defines 3 mandatory cases. European Data Protection Board (EDPB) and national DPAs publish extended lists of high-risk processing types:

  1. Profiling and scoring — systematic evaluation of personal aspects, including AI/ML decision-making
  2. Special category data at scale — health, biometric, origin, beliefs, orientation
  3. Systematic monitoring — CCTV in public spaces, employee tracking
  4. Processing of vulnerable subjects — children, employees, patients
  5. Innovative technologies — IoT, AI, blockchain, facial recognition
  6. Transfers to third countries without adequate protection
  7. Processing preventing data subject rights exercise
  8. Combining datasets from various sources for new assessment
  9. Automated decisions with legal effects
  10. Large-scale employee data processing
  11. Location/geolocation data in mobile apps
  12. New applications of existing technologies

DPIA methodology — 6 steps

  1. Processing description — purpose, legal basis, data categories, recipients, retention, data flows (DFD)
  2. Necessity assessment — can the purpose be achieved with less invasive means? Data minimization.
  3. Risk identification — catalog of threats (loss of confidentiality, availability, integrity; discrimination; loss of control; reputational damage)
  4. Risk evaluation — likelihood × impact → risk matrix (low/medium/high/critical)
  5. Mitigation measures (TOMs) — technical (encryption, pseudonymization, access control, logs) + organizational (policies, training, DPAs)
  6. Consultation and decision — mandatory DPO consultation, documented controller decision, potential prior consultation with supervisory authority (Art. 36 GDPR) if high risk remains

DPIA team

  • DPO — mandatory consultation (Art. 35.2 GDPR)
  • Business process owner — domain knowledge of purpose and means
  • IT/Security — designing and evaluating TOMs
  • Legal / privacy counsel — legal basis, documentation, compliance

DPIA and GDPR — relationship

DPIA is a key controller obligation (Art. 35), embodying the accountability principle (Art. 5.2 GDPR). Failure to conduct DPIA when required is a violation subject to fines up to €10 million or 2% of global turnover (Art. 83.4). In 2023, EU DPAs imposed over €15 million in fines for missing or inadequate DPIAs.

Explore our services

Frequently asked questions

+ What is DPIA?

DPIA (Data Protection Impact Assessment) is a structured analysis of how processing operations affect individuals' privacy — required by Article 35 GDPR for high-risk processing. The output is a report documenting identified risks, applied technical and organizational measures (TOMs), and the controller's decision on processing admissibility.

+ When is DPIA mandatory?

DPIA is mandatory when: (1) processing involves systematic, large-scale evaluation of individuals (profiling, scoring), (2) processing of special category data at scale (health, biometric, origin), (3) systematic monitoring of publicly accessible areas. EU data protection authorities publish lists of high-risk processing types — if any applies, DPIA is required.

+ How does DPIA differ from risk assessment?

Security risk assessment (e.g., ISO 27005) analyzes risks TO the organization — loss of confidentiality, availability, integrity. DPIA analyzes risks TO data subjects — privacy violations, discrimination, loss of data control. DPIA considers the perspective of individuals whose data is processed, not the organization. Both documents often coexist and complement each other.

+ Who performs DPIA?

The data controller is responsible. In practice, DPIA is prepared by a team: DPO (mandatory consultation per Art. 35.2 GDPR), business process owner, IT/security (technical safeguards), legal counsel (lawful basis, documentation). For complex processing (AI, scoring), engaging external DPIA expert is recommended.

+ How much does DPIA cost?

External DPIA cost depends on processing complexity: simple DPIA (single processing, standard data) — €2-4k, medium (multiple related processing, profiling) — €4-9k, complex (AI systems, automated decisions, cross-border) — €9-20k. Price typically includes DPIA report, records of processing activities, and TOM recommendations.

Tags:

gdpr compliance privacy dpia data-protection

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist