DPIA: when to carry out a Data Protection Impact Assessment

·

The Data Protection Impact Assessment (DPIA — known in Spanish as Evaluación de Impacto en la Protección de Datos, EIPD) is one of the most powerful — and most frequently overlooked — instruments of the General Data Protection Regulation (GDPR). Its purpose is not bureaucratic: it is to identify and mitigate real risks to natural persons before a data processing activity goes live. When it is mandatory, failing to carry it out exposes the organisation to fines that the competent supervisory authority can impose of up to €10 million or 2 % of total annual worldwide turnover. But beyond the financial penalty, a properly conducted DPIA turns a legal requirement into a genuine data governance tool.

What exactly is a DPIA?

Article 35 of the GDPR defines the data protection impact assessment as a systematic process that the controller must carry out before starting processing operations that are likely to result in a high risk to the rights and freedoms of natural persons. It is not a form to be completed once: it is a documented analysis that identifies the nature of the processing, the specific risks and the technical and organisational measures to be adopted to reduce those risks to an acceptable level.

A DPIA is distinct from both the Record of Processing Activities (RoPA) and the generic information security risk analysis. While the RoPA inventories what is done with data, the DPIA analyses the potential impact on individuals when that «what» presents high-risk characteristics. The DPO (Data Protection Officer), where one exists, must be consulted during the process and their opinion — and whether it was followed — must be recorded.

When is a DPIA mandatory? The three rules of Article 35

Article 35(1) of the GDPR establishes the obligation when a type of processing «is likely to result in a high risk to the rights and freedoms of natural persons». The Regulation itself lists three scenarios that trigger it automatically (Article 35(3)):

  1. Systematic and extensive evaluation of personal aspects based on automated processing, including profiling, which produces legal or similarly significant effects on persons (hiring decisions, credit, insurance…).
  2. Large-scale processing of special categories of data (health, political opinions, ethnic origin, sexual orientation, etc.) or data relating to criminal convictions and offences.
  3. Systematic large-scale monitoring of a publicly accessible area (CCTV, location tracking in public spaces, etc.).

Beyond these three scenarios, the GDPR adds that whenever processing is likely to result in high risk, a DPIA is equally mandatory. To make this concrete, the Article 29 Working Party (now the European Data Protection Board, EDPB) published guidelines WP248 in 2017, revised in 2018, setting out nine key criteria: if a processing activity meets two or more of them, carrying out a DPIA is recommended. The criteria are: evaluation or scoring; automated decision-making with legal or similar effects; systematic monitoring; sensitive data or data of a highly personal nature; data concerning vulnerable data subjects (children, patients, employees); large-scale processing; matching or combining datasets; innovative or novel use of new technologies; and processing that prevents data subjects from exercising a right or using a service.

In addition, many national supervisory authorities have published lists of processing operations that require a DPIA (as required by Article 35(4) of the GDPR). These lists typically include, among others: large-scale processing of special categories of data, customer profiling for marketing purposes, CCTV in public spaces, mass geolocation of employees, and processing that combines data from various sources to create biometric or behavioural profiles.

Common scenarios in a small or medium-sized business

SMEs tend to believe that DPIAs are only for large corporations. That is a mistake. These are frequent scenarios in medium-sized companies where a DPIA is required or strongly recommended:

Comparison table: when is a DPIA mandatory and when recommended?

Type of processing DPIA mandatory? Legal basis Risk if omitted
Large-scale CCTV in a publicly accessible area Yes Art. 35(3)(c) GDPR + supervisory authority list Fine up to €10 M or 2 % turnover
Automated profiling with legal effects Yes Art. 35(3)(a) GDPR Fine + prohibition of processing
Large-scale processing of health data Yes Art. 35(3)(b) GDPR Fine + reputational damage
Biometric time-and-attendance for employees Yes Supervisory authority list + EDPB WP248 Fine + processing declared void
AI for recruitment (scoring) Yes (≥ 2 WP248 criteria) EDPB WP248 rev. 2018 Fine + AI Act risk
Personalised marketing with combined data sources Recommended (assess criteria) EDPB WP248 criteria 7 + 8 Risk of fine if threshold is exceeded
Employee monitoring during remote working Yes in most cases Supervisory authority list + WP248 criterion 8 Fine + labour dispute
Newsletter sent to own customer database No (low risk, compatible purpose) Art. 35(1) GDPR (no high risk) Does not apply

How to carry out a DPIA step by step

A DPIA has no single mandatory format, but the EDPB and national supervisory authorities have published reference methodologies. The standard process consists of six phases:

1. Systematic description of the processing

Precisely document what data is collected, for what purpose, who processes it, how long it is retained, whether it is transferred or shared internationally, and what security measures are already in place. This phase connects directly with the Record of Processing Activities.

2. Assessment of necessity and proportionality

Analyse whether the processing is necessary for the declared purpose and whether a less intrusive alternative exists. Data minimisation (Article 5(1)(c) GDPR) is a principle that must be evidenced in this phase.

3. Identification and assessment of risks

Identify the specific threats — unauthorised access, data loss, fraudulent use, algorithmic discrimination, etc. — and assess their likelihood and impact on the rights of individuals. Many organisations use risk matrices similar to those used in information security (such as those in ISO 27005), but oriented towards the individual rather than the organisation.

4. Measures to address the risks

Define the technical controls (encryption, pseudonymisation, minimum-privilege access, access auditing) and organisational measures (training, contractual clauses with processors, incident response procedures) to be implemented, and assess whether the residual risks are acceptable.

5. DPO opinion and prior consultation with the supervisory authority (where applicable)

Where the organisation has a designated DPO, consulting them is mandatory (Article 35(2) GDPR) and their opinion — and whether it was followed — must be documented. If, after applying the measures, the residual risk remains high, Article 36 of the GDPR requires a prior consultation with the supervisory authority before the processing begins. The authority has up to eight weeks — extendable by a further six weeks in complex cases — to respond.

6. Documentation, approval and periodic review

The DPIA must be documented, formally approved by the controller and reviewed when significant changes occur in the processing or when new risks emerge. It is not a document that can be filed away and forgotten.

DPIA and the AI Act: the regulatory convergence arriving in 2025-2026

Since August 2024, the EU Artificial Intelligence Act (AI Act) has been in force and its phased roll-out reaches organisations using high-risk AI systems from August 2026. Many of those systems — used in HR, credit, education or essential services — involve the processing of personal data, so the DPIA and the AI Act conformity assessment overlap to a great extent. The EDPB and national supervisory authorities have already published alignment criteria between both obligations to avoid duplication of effort: a single document can partially fulfil the requirements of both regulations if it is well structured.

For SMEs that are deploying AI tools in processes affecting people — recruitment, credit scoring, recommendation systems — it is essential to carry out the DPIA before going live, not after. If your company is assessing AI Act compliance, in our AI Act compliance service we address both assessments jointly.

DPIA vs. information security risk analysis: key differences

It is common to confuse the DPIA with the information security risk analysis required by ISO 27001 or equivalent frameworks. They are complementary but distinct instruments:

That said, a sound DPIA necessarily draws on the asset inventory and threat classification produced by the security risk analysis. Organisations that already have an ISMS conformant with ISO 27001 will have done much of the groundwork.

The role of an external DPO in the DPIA

Organisations that do not have a designated DPO — whether because they are not required to or because they have not yet implemented one — typically lack both the methodology and the technical judgement to carry out a DPIA with rigour. An external specialist DPO contributes three concrete things: (1) experience in determining whether processing crosses the high-risk threshold, (2) documented methodology that can withstand scrutiny by the supervisory authority, and (3) the independence to issue an impartial opinion on residual risks.

If you need support in managing your DPIA or in determining whether your data processing activities require one, at Summum Consultoría we have been helping companies with their GDPR compliance since 2007. You can find out more in our GDPR compliance and data protection service.

Frequently asked questions

How long does a DPIA take?

It depends on the complexity of the processing. A DPIA for a standard CCTV system can be completed in two to three weeks with the right documentation in place. A DPIA for an AI system processing health data or making automated decisions can take between four and eight weeks, especially if it involves a prior consultation with the supervisory authority. The factor that most extends the process is not the analysis itself but the collection of internal information (data flows, processor contracts, technical measures already in place).

Does a DPIA have to be published?

No. Article 35 of the GDPR does not require the DPIA to be published, although Recital 93 notes that «where appropriate» the controller may publish the summary or the full document. What is mandatory is that the DPIA is available to the supervisory authority if requested during an inspection. Internally, it must be accessible to the DPO and to the team responsible for the processing.

What happens if processing is started without carrying out a mandatory DPIA?

Omitting a required DPIA constitutes a serious infringement under Article 83(4) of the GDPR, with fines of up to €10 million or 2 % of total annual worldwide turnover (whichever is higher). In addition, the supervisory authority can order the suspension of the processing until the assessment is completed and the risks are managed. In 2023 and 2024, several supervisory authorities imposed specific fines for the absence of a DPIA in biometric data processing and advanced CCTV operations.

Does the DPIA need to be repeated if the processing does not change?

Article 35(11) of the GDPR states that the controller must «review» whether the processing is carried out in accordance with the assessment and, in particular, whether the risks have changed. There is no fixed mandatory review period, but the EDPB recommends reviewing the DPIA when changes occur in the processing (new data, new technology, new recipients), when new known threats emerge, and in any event at a maximum interval of three years for ongoing high-risk processing. If the processing does not change and the risk environment does not either, it is not necessary to redo it from scratch: documenting the review and confirming that the controls remain adequate is sufficient.