DPIA — Data Protection Impact Assessment Step by Step (Article 35 GDPR)

The Data Protection Impact Assessment (DPIA) is one of the most important risk management tools in the GDPR framework. The obligation to conduct a DPIA applies when data processing is likely to result in a high risk to the rights and freedoms of natural persons — and in practice, far more situations fall into this category than many controllers assume.

Deploying a new CCTV system, launching an e-commerce platform with customer profiling, using AI algorithms in recruitment, implementing biometric access control — each of these scenarios requires a DPIA. And the failure to conduct one when required is itself a GDPR violation for which the supervisory authority may impose a fine.

This article explains what a DPIA is, when it is mandatory, how to conduct one step by step, and what mistakes organisations most commonly make.

What Is a DPIA?

A DPIA is a systematic analysis of planned data processing, the purpose of which is to assess whether the processing is likely to result in a high risk to the rights and freedoms of natural persons, and to identify measures that will minimise that risk.

The DPIA is regulated by Article 35 of the GDPR. It is not a one-off document to be created and filed away — it is a process that should accompany the planning and implementation of any higher-risk data processing and be regularly updated thereafter.

It is essential to note that a DPIA must be carried out before processing begins — not after the fact. It is a preventive tool, not a remedial one.

When Is a DPIA Mandatory?

Article 35(1) of the GDPR provides that a DPIA is required where a type of processing — in particular using new technologies — is likely, taking into account its nature, scope, context, and purposes, to result in a high risk to the rights and freedoms of natural persons.

Article 35(3) GDPR lists three specific situations where a DPIA is always required:

1. Systematic and extensive profiling with automated decision-making that produces legal effects or similarly significant effects on the individual — e.g., automated creditworthiness assessments, algorithmic candidate screening in recruitment, scoring systems.

2. Large-scale processing of special categories of data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR) — e.g., a hospital processing patient medical records, an insurance company analysing health data.

3. Systematic monitoring of a publicly accessible area on a large scale — e.g., CCTV monitoring of a shopping centre, facial recognition systems in public spaces.

In addition, the EDPB in Guidelines WP 248 (rev.01) identified 9 criteria that help assess whether processing requires a DPIA. If at least two criteria are met, a DPIA is generally required:

1. Evaluation or scoring (including profiling and predicting)
2. Automated decision-making with legal or similar significant effect
3. Systematic monitoring
4. Sensitive data or data of a highly personal nature
5. Data processed on a large scale
6. Matching or combining datasets
7. Data concerning vulnerable data subjects (children, employees, patients)
8. Innovative use or application of new technological solutions
9. Processing that prevents data subjects from exercising a right or using a service

UODO’s list — in addition to the above criteria, the President of UODO has published a list of processing operations requiring a DPIA under Polish law. The list includes, among others: processing of biometric data solely for identification or verification, processing of genetic data, systematic processing of monitoring data, processing of location data, and profiling using data from external sources.

When Is a DPIA NOT Required?

A DPIA is not required when processing does not result in a high risk to individuals’ rights. Article 35(5) of the GDPR also provides that the supervisory authority may publish a list of processing operations that do not require a DPIA.

In practice, a DPIA is not necessary for standard HR and payroll processing in a small company (provided it does not involve profiling or large-scale special category data), maintaining a basic customer list with contact details, or sending a newsletter based on consent (provided there is no profiling).

When in doubt — it is safer to conduct a DPIA than to risk being found to have failed to do so.

How to Conduct a DPIA — Step-by-Step Procedure

There is no single mandatory DPIA template — the GDPR specifies the minimum content (Article 35(7)) but gives the controller discretion as to format. The EDPB, CNIL, and other supervisory authorities have, however, published models and tools that can be used.

Step 1: Describe the Processing

Describe the planned processing in detail:

What personal data will be processed (categories of data)? Who does the data relate to (categories of data subjects)? For what purpose will the data be processed? On what legal basis (Article 6 / Article 9 GDPR)? How will data be collected, stored, modified, shared, and deleted? What systems and technologies will be used? Who will have access to the data? Will data be transferred outside the EEA? What is the planned retention period?

Step 2: Assess Necessity and Proportionality

Answer the following questions:

Is the processing necessary to achieve the intended purpose? Could the purpose be achieved in a less intrusive way (with less data, without profiling, without special category data)? Is the scope of data proportionate to the purpose? Is the retention period justified? How will data subject rights be exercised? Is the information obligation properly fulfilled?

Step 3: Identify Risks

Identify risks to the rights and freedoms of natural persons. The EDPB recommends analysing risks across three dimensions:

Confidentiality — risk of unauthorised access to data (e.g., data leak, cyberattack, employee error).

Integrity — risk of unauthorised modification of data (e.g., algorithm error altering personal data, database attack).

Availability — risk of loss of access to data (e.g., system failure, ransomware, lack of backup).

For each risk, assess: the likelihood of occurrence (low, medium, high) and the severity of impact on the individual (low, medium, high). The product of these two factors gives the risk level.

Step 4: Mitigation Measures

For each identified risk, determine measures to reduce it. Measures may be:

Technical — data encryption, pseudonymisation, access control, event logging, automated deletion after retention period, backups, firewalls, IDS/IPS, penetration testing.

Organisational — data protection policies and procedures, staff training, data processing agreements, audits, breach response procedures, data subject rights procedures.

Legal — proper privacy notices, consent collection and management mechanisms, agreements with processors, Transfer Impact Assessment (for transfers outside the EEA).

After applying the measures, reassess the risk level (residual risk). If the residual risk remains high — consultation with UODO is required (Article 36 GDPR — prior consultation).

Step 5: Consult the DPO

Article 35(2) of the GDPR requires the controller to seek the advice of the Data Protection Officer (DPO) when carrying out a DPIA, where one has been designated. The DPO provides an opinion on the DPIA — assessing whether the analysis is complete, whether risks have been correctly identified, and whether the proposed measures are sufficient.

The DPO’s opinion should be documented and appended to the DPIA. If the controller disagrees with the DPO’s opinion, the reasons for the divergence should be documented.

Step 6: Documentation and Decision

The DPIA should be documented in writing. The document should include: a description of the processing, an assessment of necessity and proportionality, a risk analysis, mitigation measures, a residual risk assessment, the DPO’s opinion, and the controller’s decision (proceed / modify / abandon / consult UODO).

Step 7: Review and Update

A DPIA is not a one-off document. Article 35(11) of the GDPR requires the controller to review the DPIA where there is a change in the risk posed by the processing. In practice, this means updating the DPIA when the purposes or scope of processing change, new technologies are introduced, legislation changes, new risks are identified, or a data breach occurs in the analysed process.

Best practice is to review the DPIA at least once a year.

DPIA and New Technologies — AI, Biometrics, IoT

DPIAs are particularly important in the context of new technologies:

Artificial intelligence (AI) — AI systems processing personal data (e.g., chatbots, recommendation systems, automated CV analysis) require a DPIA due to profiling, automated decision-making, and the frequent opacity of algorithms. The AI Act additionally requires a conformity assessment for high-risk AI systems — the DPIA and the AI Act conformity assessment should be aligned.

Biometrics — facial recognition systems, fingerprint scanners, voice recognition — process biometric data (a special category under Article 9 GDPR) and always require a DPIA.

Internet of Things (IoT) — IoT devices collecting user data (smartwatches, smart homes, GPS-equipped vehicle fleets) generate massive volumes of data, often continuously and without the user’s full awareness.

CCTV with analytics — cameras with facial recognition, behaviour detection, or person tracking features go far beyond traditional CCTV and always require a DPIA.

Prior Consultation with UODO (Article 36 GDPR)

If, after conducting a DPIA and applying mitigation measures, the residual risk remains high, the controller is obliged to consult UODO before commencing processing (Article 36(1) GDPR).

Consultation involves submitting the DPIA documentation to UODO together with a description of the mitigation measures. UODO has 8 weeks to issue a written recommendation (the deadline may be extended by 6 weeks in complex cases).

In practice, prior consultations are relatively rare — most organisations are able to reduce residual risk to an acceptable level. However, if your DPIA indicates a persistently high residual risk, consultation with UODO is mandatory, and commencing processing without it constitutes a GDPR violation.

Common DPIA Mistakes

Based on audit practice and supervisory authority decisions, the most common mistakes are:

No DPIA despite the obligation — the organisation implemented a new system (monitoring, profiling, AI) without conducting a DPIA. UODO and European authorities impose fines for the mere absence of a DPIA, regardless of whether a data breach has occurred.

DPIA conducted after the fact — the DPIA was carried out after the system was implemented, rather than before launch. Article 35(1) GDPR explicitly requires the DPIA to be conducted before processing begins.

Superficial risk analysis — generic statements such as “the risk is low” without a concrete analysis of scenarios, likelihood, and impact.

No mitigation measures — the DPIA identifies risks but proposes no specific measures to minimise them, or proposes measures inadequate to the risk level.

No DPO consultation — the controller conducted the DPIA without seeking the DPO’s opinion, despite having a designated DPO.

No updates — a DPIA conducted in 2018 and never revised, despite changes in processing, technology, or legislation.

Treating the DPIA as a formality — filling in a template perfunctorily, without genuine risk analysis or identification of mitigation measures.

Tools for Conducting a DPIA

Several useful tools and templates:

PIA Tool (CNIL) — a free tool from the French supervisory authority for conducting DPIAs. Available in several languages, it guides the user step by step through the entire process.

ICO DPIA Template — the UK’s Information Commissioner’s Office provides a DPIA template with examples and guidance.

EDPB Guidelines WP 248 (rev.01) — official DPIA guidelines containing assessment criteria, examples, and explanations.

UODO’s list — the catalogue of processing operations requiring a DPIA under Polish law.

Checklist — DPIA Step by Step

1. Assess whether the processing requires a DPIA (EDPB criteria + UODO list).
2. Describe the planned processing in detail.
3. Assess the necessity and proportionality of processing.
4. Identify risks to data confidentiality, integrity, and availability.
5. Assess the likelihood and severity of each risk.
6. Determine technical, organisational, and legal measures to minimise risks.
7. Assess residual risk after applying measures.
8. Consult the DPO and document their opinion.
9. Make a decision: proceed / modify / consult UODO.
10. Document the DPIA and schedule regular reviews.

Need Help With a DPIA?

Conducting a thorough DPIA requires legal expertise, an understanding of IT processes, and experience in risk management. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we conduct DPIAs for organisations implementing new systems, technologies, and processes — from CCTV and HR systems, through e-commerce platforms, to artificial intelligence solutions.