What is a Data Protection Impact Assessment (DPIA) under the GDPR?

The GDPR and other laws require a Data Protection Impact Assessment (DPIA) where data processing activities can result in a high risk to the rights and freedoms of individuals. We look at who is responsible for a DPIA, what it should contain, and how to carry it out for your organization.
Woman holding laptop with DPIA shield
by Usercentrics
8 mins to read
Aug 4, 2024

Organizations collect vast amounts of data from their users, which ranges from personal information to website usage patterns to financial details. This data collection helps improve services, tailor experiences, and drive business growth. However, it can also bring significant risks related to data breaches and unauthorized access to or misuse of personal data.

A Data Protection Impact Assessment (DPIA) helps organizations identify these risks, implement necessary safeguards, and maintain regulatory compliance, specifically with the European Union’s (EU) General Data Protection Regulation (GDPR).

What is a Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment (DPIA) is a risk assessment process that helps organizations identify and reduce the risks to personal data they process. It involves examining how personal data is collected, handled, and stored, and ensuring there are adequate measures in place to protect individuals’ privacy and rights as they pertain to that data. Requirements for a DPIA are included in Art. 35 GDPR.

Conducting an effective DPIA enables organizations to detect and address potential problems at an early stage, helping prevent data breaches, avoid legal complications, and protect the organization’s reputation.

Who should implement a DPIA?

The GDPR can require the data controller to carry out a DPIA. A data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

While the data controller may appoint third-party data processors to carry out processing activities on its behalf, the responsibility for the DPIA remains with the data controller who is ultimately responsible for GDPR compliance and data security. The data processor should assist the controller in carrying out the DPIA by providing any necessary information, as required by Article 28(3)(f) GDPR.

If a Data Protection Officer (DPO) is appointed under the regulation, the controller must consult with the DPO when carrying out a DPIA. The advice given by the DPO and the decisions made by the controller should be documented within the DPIA.

The DPIA may be carried out by someone outside the organization, but the data controller remains accountable for ensuring that it is completed appropriately.

When is a DPIA required?

A DPIA is required whenever a processing activity, in particular using new technologies, triggers one of the obligations to conduct it under the law. Art. 35 requires a DPIA where data processing activities are “likely to result in a high risk to the rights and freedoms of natural persons.” According to the guidelines issued by the Article 29 Working Party (WP29), the predecessor of the European Data Protection Board (EDPB), these rights and freedoms include the rights to data protection and privacy, and may also include:

  • freedom of speech
  • freedom of thought
  • freedom of movement
  • prohibition of discrimination
  • right to liberty, conscience, and religion

The GDPR specifically requires controllers to carry out a DPIA when:

  • there is a systematic and extensive evaluation of personal aspects of individuals, including profiling and automated decision-making
  • sensitive data, or data related to criminal convictions and offenses, is processed on a large scale
  • publicly accessible areas are systematically monitored on a large scale

A DPIA may be required in other cases, and the controller must evaluate whether processing activities may result in a high risk to the rights and freedoms of individuals. Some examples from the WP29 and Recital 75 GDPR include cases where the processing:

  • involves the use of new technologies
  • involves matching or combining datasets from two different processing operations
  • involves personal data of vulnerable individuals, including children
  • is done to track behavior, location, or movements
  • may give rise to significant economic or social disadvantage, including identity theft or fraud, discrimination, or financial loss
  • may prevent data subjects from exercising control over their personal data

A DPIA can address either a single processing operation or multiple operations that share similar characteristics in terms of their nature, scope, context, purpose, and risks.

Exclusions from the DPIA requirements

There are two circumstances when a DPIA is specifically not required under the GDPR:

  1. when the processing operations fall under a list established by a supervisory authority or Data Protection Authority of an EU member state as not requiring a DPIA
  2. when the processing has a legal basis in EU law or in the law of the member state that applies to the controller, and that law specifically regulates the processing activity

At what stage should a DPIA be carried out?

A DPIA should be carried out before any type of processing begins that is likely to result in a high risk, ideally during the early planning stages of the project, new feature, or new use case. This early assessment helps identify and manage potential risks even if some processing details are still being finalized.

DPIAs are an ongoing activity, and the controller’s obligation doesn’t end once the initial DPIA has been carried out. If data processing has commenced for specific purposes, but the conditions of processing — such as purpose or type of personal data collected — change significantly and are likely to result in a high risk to individuals’ rights and freedoms, the controller must revisit the DPIA before these new processing conditions are implemented. If a DPIA was not initially required before data processing began but changes in processing conditions make it necessary, then it must be conducted when those new conditions arise.

What are the DPIA requirements under the GDPR?

There are certain minimum regulatory requirements for what a DPIA must include. The key components of a DPIA are:

  • systematic description of the processing operations, including the nature, scope, context, and purposes of the processing
  • assessment of whether the processing operations are necessary and proportional in relation to the purposes, to evaluate whether the same objectives can be met with less data or through less intrusive means
  • identification and assessment of the likelihood and severity of potential risks to data subjects’ rights and freedoms
  • measures to address and mitigate the risks, including safeguards and security measures such as encryption, access controls, and regular audits to protect personal data and demonstrate compliance with the GDPR

DPIA Infographic

DPIAs under US law

There is no comprehensive federal data privacy law in the US, and a number of states have enacted laws to protect the personal data — often referred to as “personal information” in some laws — of their residents.

Many of these US state-level data privacy laws require controllers to conduct DPIAs. While there may be some variations among state laws, they are usually required in the following cases:

  • processing of personal data for the purposes of:
    • targeted advertising
    • profiling
  • sale of personal data
  • processing of sensitive data (which usually includes children’s data)
  • processing activities that present a heightened risk of harm to consumers

What constitutes “sensitive data” or “sensitive personal information” may differ across various laws, so controllers must ensure they follow the specific requirements of each applicable law.

States that require these assessments include Colorado, Texas, Maryland, Connecticut, Virginia, Nebraska, Oregon, and Tennessee, among others. California requires a DPIA under the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA).

DPIA procedure

The GDPR doesn’t specify a procedure for conducting a DPIA, giving controllers the flexibility to approach it in a way that effectively assesses risks and informs data processing decisions. The basic steps to conduct a DPIA are as follows.

1. Identify if a DPIA is required

The first step is to determine whether a DPIA is necessary before data processing activities begin. It may not be immediately clear if a DPIA is necessary, and controllers might realize it partway through the project. In such a case, controllers must ensure the DPIA is completed before they begin any processing activities or begin collecting data.

Start audit now

2. Consult the DPO, if appointed

Art. 35(2) of the GDPR makes it mandatory to consult the DPO if the organization has appointed one. The DPO’s advice must be documented in the DPIA and, if the advice is overruled, the DPIA must explain why.

3. Identify all parties to be consulted

Controllers must list all internal and external stakeholders to be consulted. This includes data processors and data subjects or their representatives. The DPIA must include their feedback on the processing activities and, if feedback is disregarded, why.

4. Document the nature, scope, context, and purposes of the data processing

Controllers should list all the data processing activities, including why and how the data is being processed. This should cover, among other things:

  • what types of personal data are being collected and processed, including whether the data is sensitive, the volume of data, and how long it will be retained
  • the source of the data, and whether it will be shared with any third parties
  • how much control data subjects will have over the data, and whether any new technologies will be used in processing
  • the intended effect on data subjects and benefits for the controller

5. Assess the necessity and proportionality

The GDPR requires controllers to evaluate whether the data processing is necessary and proportional to achieve the intended purposes, including determining the lawful basis for processing. Controllers should consider what information will be shared with data subjects in their privacy policy, how to achieve data minimization and data quality, and how international transfers will be handled.

6. Identify and assess potential risks

Controllers are required to identify and evaluate the potential risks to data subjects’ rights and freedoms, and outline measures to mitigate these risks. They must assess the likelihood and severity of each risk, considering factors like the nature of the data, the context of processing, and the potential impact on individuals. Controllers should develop a risk mitigation plan that includes specific measures such as encryption, anonymization, access controls, and regular security audits.

7. Validate and sign the DPIA

Controllers must validate and sign the DPIA once it is completed. This involves recording who approved the protection measures and any residual risks. Documenting the decision-making process and identifying those responsible for its implementation and authorization provides a clear record of the approval process.

There is no official template from the EDPB, and controllers that need structure or guidance to get started may use templates from Data Protection Authorities such as France’s National Commission on Informatics and Liberty (CNIL) or the UK’s Information Commissioner’s Office. Although the EU GDPR doesn’t apply to the UK post-Brexit, the UK GDPR is nearly identical to the EU version and includes the same provisions for DPIA requirements.

Conclusion and next steps

Conducting a DPIA is a vital practice for safeguarding personal data, maintaining data subjects’ trust, and avoiding reputational damage. By conducting a DPIA, organizations can identify and mitigate potential risks, ensuring that data processing activities are both secure and compliant.

Organizations should consult a qualified legal professional, privacy expert, or DPO to ensure compliance with the GDPR’s DPIA requirements and to implement the necessary safeguards effectively.

Frequently asked questions

What is a DPIA under the GDPR?

A Data Protection Impact Assessment (DPIA) is an assessment of risks to the rights and freedoms of individuals that arise from data processing activities. It involves identifying, evaluating, and mitigating potential risks to ensure data processing complies with GDPR requirements.

When is a DPIA required?

A DPIA is required when data processing activities, in particular using new technologies, are likely to result in a high risk to the rights and freedoms of natural persons or individuals. Specifically, under Art. 35 GDPR, this includes:

  • profiling and automated decision-making that significantly affect individuals
  • large-scale processing of sensitive data, such as health records or criminal convictions
  • systematic monitoring of publicly accessible areas
How frequently is a DPIA required?

A DPIA should be conducted before any data processing that is likely to result in a high risk begins. DPIAs are ongoing activities, so if the processing conditions change significantly, such as a new purpose or different types of personal data being collected, the DPIA must be updated. If a DPIA wasn’t initially required but new conditions make it necessary, it should be conducted when those conditions arise.

How do I conduct a DPIA?

To conduct a DPIA, first determine whether it is required under the GDPR before beginning any new data processing activities. If unclear initially, ensure it is completed before any activities requiring it start. Consult the Data Protection Officer (DPO), if one has been appointed. Identify all relevant internal and external stakeholders, including data processors and data subjects. Document the nature, scope, context, and purposes of the data processing. Assess the necessity and proportionality of the processing, identify and assess potential risks to data subjects’ rights and freedoms, and develop a risk mitigation plan. Validate and sign the DPIA, documenting the decision-making process for clear accountability.

Who is responsible for a DPIA?

Data controllers are responsible for conducting a DPIA under the GDPR. If the organization has appointed a Data Protection Officer (DPO), the controller must seek the DPO’s advice while carrying out a DPIA.

Is DPIA a legal requirement?

Yes, a DPIA is a legal requirement under the GDPR when processing activities are likely to result in a high risk to the rights and freedoms of natural persons.

What do you need to use when identifying, analyzing, and minimizing risk?

When identifying, analyzing, and minimizing risks, you need to conduct a Data Protection Impact Assessment (DPIA). It is a legal requirement under Art. 35 GDPR where the data processing activities in particular using new technologies, are likely to result in a high risk to the rights and freedoms of natural persons or individuals. You should be up to date on what data your organization processes, what sources it’s from, how it’s used and stored, how long it’s retained, and who may have access to it. All of these factors inform risk levels and analysis to mitigate them.

Aug 29, 2024
Understanding the distinctions between PII, PI, and sensitive data is essential for effective data protection and regulatory compliance. By properly classifying and safeguarding these data types, organizations can mitigate risks and build stronger trust with their customers.
Aug 21, 2024
Let’s talk about data privacy and security. What are their differences, the goals of the policies and activities, the best practices, and the methods for implementing them?
Aug 19, 2024
The Minnesota Consumer Data Privacy Act (MCDPA) takes effect on July 31, 2025, establishing new standards for data privacy and consumer protection in the state. Businesses preparing for compliance must understand the key provisions and implications for consumer rights to ensure a smooth transition.