Compliance
5 min

When Is a DPIA Required Under GDPR? A Decision Framework

Data Protection Impact Assessments are mandatory in specific scenarios under GDPR Article 35. Use this decision framework to determine if your processing requires one.

Netallion Team·May 5, 2026

When Is a DPIA Required Under GDPR?

A Data Protection Impact Assessment (DPIA) is a process designed to help you systematically analyse, identify, and minimise the data protection risks of a project or plan. Under GDPR Article 35, DPIAs are mandatory in certain circumstances — not optional.

When a DPIA Is Required

Article 35(3) identifies three scenarios where a DPIA is always required:

  1. Systematic and extensive profiling with significant effects on individuals — e.g. credit scoring, behavioural advertising, fraud prevention systems
  2. Large-scale processing of special category data — health data, biometric data, criminal records, political opinions, etc.
  3. Systematic monitoring of publicly accessible areas — CCTV, WiFi tracking, facial recognition in public spaces
Additionally, the European Data Protection Board (EDPB) provides criteria. A DPIA is likely needed when processing involves two or more of:
  • Evaluation or scoring (profiling, predicting)
  • Automated decision-making with legal or significant effects
  • Systematic monitoring
  • Sensitive data or data of a highly personal nature
  • Data processed on a large scale
  • Matching or combining datasets
  • Data concerning vulnerable subjects (children, employees, patients)
  • Innovative use of new technologies
  • Processing that prevents individuals from exercising a right or using a service

The DPIA Process

Step 1: Describe the Processing

Document what data you collect, why, how it flows, who accesses it, and how long you retain it.

Step 2: Assess Necessity and Proportionality

Is this processing actually necessary for your stated purpose? Could you achieve the same goal with less data or less intrusive means?

Step 3: Identify and Assess Risks

For each identified risk, assess the likelihood and severity of impact on individuals' rights and freedoms.

Step 4: Identify Mitigating Measures

For each risk, define controls that reduce the likelihood or impact. These become your treatment plan.

Step 5: Consult the DPO

Your Data Protection Officer must be consulted and their recommendations recorded. If you do not have a DPO, consider seeking external advice.

Step 6: Document and Review

The DPIA is a living document. Review it when the processing changes, when new risks emerge, or at least annually.

When to Consult the Supervisory Authority

If after your DPIA you still identify high residual risks that you cannot sufficiently mitigate, Article 36 requires you to consult your supervisory authority before beginning the processing.

How Netallion Helps

Netallion's DPIA builder follows the Article 35 structure with structured fields for necessity assessment, data categories, lawful basis, risk scoring, mitigation measures, and DPO consultation records. Export your completed DPIA as part of your GDPR compliance pack.

Build your DPIA at grc.netallion.app.

GDPR
DPIA
Data Protection
Privacy

Ready to build your compliance evidence pack?

Start with a free starter kit or create your first assurance pack.