A Data Protection Impact Assessment (DPIA) is a formal process to evaluate the privacy risks of data processing activities. Under GDPR Article 35, it's mandatory for high-risk processing — and regulators have fined companies for failing to conduct one when required.
When Is a DPIA Mandatory?
A DPIA is required when processing is "likely to result in a high risk" to individuals. The EDPB and national DPAs have clarified this includes:
| Scenario | Example | DPIA Required? |
|---|---|---|
| Large-scale profiling | Behavioral analytics on thousands of users | Yes |
| Systematic monitoring | Employee surveillance, CCTV in public areas | Yes |
| Sensitive data processing | Health data, biometric data, political opinions | Yes |
| Automated decision-making | Credit scoring, AI-based content moderation | Yes |
| Large-scale data combination | Merging datasets from different sources | Yes |
| New technologies | AI chatbots, facial recognition, IoT devices | Yes |
| Children's data | Education platforms, kids apps | Yes |
| Standard website analytics | Basic page view tracking | Usually not |
| Employee payroll | Standard HR processing | Usually not |
The DPIA Process (7 Steps)
Step 1: Describe the Processing
- What personal data is collected?
- How is data collected (forms, cookies, API, etc.)?
- What is the purpose of processing?
- Who has access to the data?
- How long is data retained?
- Where is data stored and transferred?
Step 2: Assess Necessity and Proportionality
- Is the processing necessary for the stated purpose?
- Could the same goal be achieved with less data?
- What is the legal basis (consent, legitimate interest, contract)?
- Are data subjects adequately informed?
Step 3: Identify Risks to Individuals
Consider risks from the data subject's perspective:
- Identity theft or fraud from data breaches
- Discrimination from automated profiling
- Financial loss from payment data exposure
- Reputational damage from sensitive data disclosure
- Loss of control over personal information
Step 4: Evaluate Risk Likelihood and Severity
| Low Severity | Medium Severity | High Severity | |
|---|---|---|---|
| High Likelihood | Medium Risk | High Risk | Very High Risk |
| Medium Likelihood | Low Risk | Medium Risk | High Risk |
| Low Likelihood | Low Risk | Low Risk | Medium Risk |
Step 5: Identify Mitigation Measures
- Technical measures: Encryption, pseudonymization, access controls, security headers
- Organizational measures: Staff training, data handling procedures, vendor contracts
- Privacy-enhancing technologies: Data minimization, anonymization, cookie-free analytics
- Consent mechanisms: Compliant consent banners, granular opt-in
Step 6: Document and Sign Off
Your DPIA document should include:
- Description of processing operations and purposes
- Assessment of necessity and proportionality
- Risk assessment with likelihood and severity ratings
- Mitigation measures and their effectiveness
- Residual risk assessment after mitigation
- DPO opinion (if you have one)
- Sign-off by the data controller
Step 7: Review and Update
DPIAs aren't one-time documents. Review when processing changes, when new risks emerge, or at minimum every 2-3 years. Set up compliance monitoring to catch changes that could affect your DPIA findings.
Consequences of Skipping a DPIA
- Fines up to €10 million or 2% of annual turnover (GDPR Article 83(4))
- Processing orders from supervisory authorities to halt the processing
- Liability for damages if individuals are harmed
- Reputational damage and loss of customer trust
Start by understanding what data your website collects. Run a free PrivacyChecker scan to get a complete inventory of cookies, trackers, and third-party data flows — essential input for any DPIA.