Skip to main content

DPIA Guide

Data Protection Impact Assessments (Article 35)

What is a DPIA?

A Data Protection Impact Assessment (DPIA) is a process to identify and minimize data protection risks of a project or processing activity. Required by GDPR Article 35 when processing is "likely to result in high risk."

Legal Requirement: Failure to conduct a DPIA when required can result in fines up to €10 million or 2% of global turnover (Article 83(4)(a)).

When is DPIA Required?

Article 35(3) lists scenarios that require a DPIA:

1. Automated Decision-Making with Legal/Similar Effects

Systematic evaluation including profiling that produces legal effects or similarly significant effects

Example: Credit scoring, loan approvals, employment decisions

2. Large-Scale Special Category Data Processing

Processing special categories (Article 9) or criminal data (Article 10) on a large scale

Example: Health records, biometric authentication, ethnic origin tracking

3. Systematic Monitoring of Public Areas

Large-scale systematic monitoring of publicly accessible areas

Example: CCTV networks, facial recognition in public spaces

Quick Start Guide

  1. 1
    Identify high-risk processing
    Platform auto-detects DPIA triggers (biometric data, automated decisions, etc.)
  2. 2
    Generate DPIA automatically
    Our AI analyzes file metadata and generates comprehensive risk assessment
  3. 3
    DPO reviews and approves
    Article 35(2) requires DPO consultation - built-in approval workflow
  4. 4
    Export for audit
    Download as PDF or include in compliance package

What Must a DPIA Include? (Article 35(7))

1. Processing Description

Systematic description of processing operations and purposes

2. Necessity & Proportionality

Assessment of necessity and proportionality of processing

3. Risk Assessment

Risks to rights and freedoms of data subjects

4. Safeguards & Mitigations

Measures to address risks and demonstrate compliance

DPO Consultation (Article 35(2))

You must seek the advice of your Data Protection Officer when carrying out a DPIA.

Our Built-In Workflow

  1. 1. DPIA auto-generated when high-risk processing detected
  2. 2. Notification sent to DPO for review
  3. 3. DPO can approve, request revision, or reject
  4. 4. All consultation documented in audit trail
  5. 5. Approved DPIAs included in compliance exports

Common CCO/CPO Scenarios

🚀 Launching New AI Product

Scenario: New AI feature uses automated decision-making (Article 35(3)(a))

Solution: Conduct DPIA before launch → DPO review → Implement safeguards → Document decision

✅ Requirement: DPIA must be conducted "prior to the processing" (Article 35(1))

🏥 Processing Health Data

Scenario: Processing health records (special category data, Article 9)

Solution: Auto-detected by platform → DPIA generated → Explicit consent required

✅ Requirement: Special category data requires DPIA if large-scale (Article 35(3)(b))

🎥 Video Surveillance System

Scenario: CCTV network with facial recognition (Article 35(3)(c))

Solution: DPIA required → Assess necessity → Implement privacy by design → Signage

✅ Requirement: Systematic monitoring of public areas requires DPIA

Understanding Risk Levels

🔴
VERY HIGH

May require supervisory authority consultation (Article 36)

🟠
HIGH

Requires DPIA and additional safeguards

🟡
MEDIUM

DPIA recommended, not mandatory

🟢
LOW

No DPIA required

Frequently Asked Questions

What happens if I don't conduct a DPIA when required?

⚠️ Serious compliance violation with significant fines

  • Fines up to €10 million or 2% of global turnover (Article 83(4)(a))
  • Processing must stop until DPIA completed (Article 35(1))
  • Supervisory authority may require immediate compliance
  • Reputational damage if data breach occurs
Can I re-use DPIAs for similar processing?

YES - Article 35(1) allows a single DPIA for "a set of similar processing operations."

Examples:

  • Same AI model used for different customer segments
  • Multiple CCTV systems with identical setup
  • Similar automated decision-making across regions

⚠️ Must review and update if processing changes significantly

When should I consult the supervisory authority (Article 36)?

Required when DPIA indicates high residual risk that cannot be mitigated by the controller.

Supervisory authority has 8 weeks to respond (extendable to 14 weeks).

💡 Our platform flags when Article 36 consultation may be needed based on risk score

Ready to Get Started?

Automate DPIA generation and DPO consultation with our Article 35-compliant workflow.

Manage DPIAsCompliance Hub