When Is a DPIA Required Under GDPR?
A Data Protection Impact Assessment (DPIA) is a process designed to help you systematically analyse, identify, and minimise the data protection risks of a project or plan. Under GDPR Article 35, DPIAs are mandatory in certain circumstances — not optional.
When a DPIA Is Required
Article 35(3) identifies three scenarios where a DPIA is always required:
- Systematic and extensive profiling with significant effects on individuals — e.g. credit scoring, behavioural advertising, fraud prevention systems
- Large-scale processing of special category data — health data, biometric data, criminal records, political opinions, etc.
- Systematic monitoring of publicly accessible areas — CCTV, WiFi tracking, facial recognition in public spaces
- Evaluation or scoring (profiling, predicting)
- Automated decision-making with legal or significant effects
- Systematic monitoring
- Sensitive data or data of a highly personal nature
- Data processed on a large scale
- Matching or combining datasets
- Data concerning vulnerable subjects (children, employees, patients)
- Innovative use of new technologies
- Processing that prevents individuals from exercising a right or using a service
The DPIA Process
Step 1: Describe the Processing
Document what data you collect, why, how it flows, who accesses it, and how long you retain it.
Step 2: Assess Necessity and Proportionality
Is this processing actually necessary for your stated purpose? Could you achieve the same goal with less data or less intrusive means?
Step 3: Identify and Assess Risks
For each identified risk, assess the likelihood and severity of impact on individuals' rights and freedoms.
Step 4: Identify Mitigating Measures
For each risk, define controls that reduce the likelihood or impact. These become your treatment plan.
Step 5: Consult the DPO
Your Data Protection Officer must be consulted and their recommendations recorded. If you do not have a DPO, consider seeking external advice.
Step 6: Document and Review
The DPIA is a living document. Review it when the processing changes, when new risks emerge, or at least annually.
When to Consult the Supervisory Authority
If after your DPIA you still identify high residual risks that you cannot sufficiently mitigate, Article 36 requires you to consult your supervisory authority before beginning the processing.
How Netallion Helps
Netallion's DPIA builder follows the Article 35 structure with structured fields for necessity assessment, data categories, lawful basis, risk scoring, mitigation measures, and DPO consultation records. Export your completed DPIA as part of your GDPR compliance pack.
Build your DPIA at grc.netallion.app.