GDPR4All
Sign inFree Assessment

When Is a DPIA Required?

Understanding Article 35 criteria, high-risk processing, and when you must conduct a DPIA

6 min readUpdated 26 February 2026

A Data Protection Impact Assessment (DPIA) is a structured process for identifying and minimising the data protection risks of a project, system, or processing activity. The GDPR makes DPIAs mandatory in certain situations — specifically, where processing is likely to result in a high risk to the rights and freedoms of individuals. Getting this right is not just a compliance checkbox; a well-conducted DPIA can prevent costly mistakes and demonstrate genuine accountability.

What Is a DPIA?

Article 35(1) requires the controller to carry out an assessment of the impact of envisaged processing operations on the protection of personal data before the processing begins. A DPIA is a proactive tool — it is designed to identify risks early, when they can still be mitigated or avoided entirely.

A DPIA is not a one-off document. If the nature, scope, context, or purposes of the processing change significantly, the DPIA should be reviewed and updated.

When Is a DPIA Mandatory?

Article 35(3) lists three situations where a DPIA is always required:

1. Systematic and Extensive Profiling with Significant Effects

A DPIA is required for systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing (including profiling), on which decisions are based that produce legal effects or similarly significantly affect the individual.

Example: An insurance company that uses algorithmic profiling to set premiums, where the outcome directly affects the terms offered to individuals.

2. Large-Scale Processing of Special Category Data or Criminal Offence Data

Processing special category data (Article 9) or data relating to criminal convictions (Article 10) on a large scale always requires a DPIA.

Example: A hospital deploying a new electronic health records system that will process the medical data of hundreds of thousands of patients.

3. Systematic Monitoring of a Publicly Accessible Area on a Large Scale

Large-scale, systematic surveillance of public spaces triggers the DPIA requirement.

Example: A city council installing a network of CCTV cameras with facial recognition capabilities across a town centre.

The Nine EDPB Criteria

Beyond the three mandatory cases above, the European Data Protection Board (EDPB, formerly the Article 29 Working Party) has published nine criteria to help organisations assess whether their processing is likely to be high-risk. As a general rule, if your processing meets two or more of these criteria, a DPIA is likely required:

  1. Evaluation or scoring — including profiling, prediction, or risk assessment (e.g. credit scoring, behavioural analysis).
  2. Automated decision-making with legal or similar significant effect — processing that determines access to services, employment, credit, or similar outcomes.
  3. Systematic monitoring — observation, tracking, or surveillance of data subjects, including through networks or across public spaces.
  4. Sensitive data or data of a highly personal nature — special category data (Article 9), criminal offence data (Article 10), or data that is inherently more sensitive (financial data, communications content, location data).
  5. Data processed on a large scale — considering the number of data subjects, volume of data, duration of processing, and geographical extent.
  6. Matching or combining datasets — merging data from different sources in ways that exceed the data subject's reasonable expectations.
  7. Data concerning vulnerable data subjects — children, employees, patients, elderly people, asylum seekers, or any group with a power imbalance relative to the controller.
  8. Innovative use or applying new technological or organisational solutions — biometric identification, IoT devices, AI/ML systems, blockchain, and other emerging technologies where the data protection impact is not yet well understood.
  9. Processing that prevents data subjects from exercising a right or using a service or contract — for example, screening applicants against a database that determines whether they may access a particular service.

Practical tip: When in doubt, conduct a DPIA anyway. There is no penalty for conducting a DPIA that was not strictly required, but there can be serious consequences for failing to conduct one that was.

What Must a DPIA Contain?

Article 35(7) sets out four minimum requirements for the content of a DPIA:

Systematic Description of the Processing

Describe the envisaged processing operations and their purposes, including (where applicable) the legitimate interest pursued by the controller. This should cover:

  • What personal data is collected and from whom
  • How it is processed, stored, and shared
  • The technology and systems involved
  • The data flows (including any international transfers)
  • The retention period

Assessment of Necessity and Proportionality

Evaluate whether the processing is necessary and proportionate in relation to its purposes. Consider:

  • Could the same objective be achieved with less data or less intrusive processing?
  • Is the lawful basis appropriate and documented?
  • How are data subjects informed (privacy notices)?
  • How are data subject rights facilitated?
  • What safeguards apply to international transfers?

Assessment of Risks to Rights and Freedoms

Identify the risks to data subjects and assess their likelihood and severity. Consider risks such as:

  • Discrimination or reputational damage
  • Financial loss or identity theft
  • Loss of confidentiality
  • Re-identification of pseudonymised data
  • Physical harm (in cases involving location data or vulnerable individuals)

Measures to Address the Risks

For each identified risk, describe the measures, safeguards, and mechanisms to mitigate it. These might include:

  • Pseudonymisation or encryption
  • Access controls and authentication
  • Data minimisation
  • Retention limits
  • Regular security testing
  • Staff training
  • Contractual clauses with processors

The DPIA should demonstrate that residual risk (after mitigation) is acceptable.

The Role of the DPO

Where a Data Protection Officer has been appointed, Article 35(2) requires the controller to seek the DPO's advice when carrying out a DPIA. The DPO should:

  • Advise on whether a DPIA is required
  • Provide guidance on methodology and approach
  • Review the risk assessment and proposed mitigation measures
  • Monitor whether the DPIA is carried out correctly

The DPO's role is advisory — the controller retains responsibility for the decision to proceed with or modify the processing.

Prior Consultation (Article 36)

If, after conducting the DPIA, the residual risk remains high and the controller cannot sufficiently mitigate it, the controller must consult the supervisory authority before commencing the processing.

The supervisory authority has up to eight weeks (extendable by six weeks for complex cases) to provide written advice. During this period, the authority may exercise any of its powers under Article 58, including ordering changes to the processing or imposing a temporary or permanent ban.

In practice: Prior consultation is relatively rare. Most organisations can mitigate residual risks through additional safeguards. The need for prior consultation is a strong signal that the processing as designed may not be compliant and should be reconsidered.

How GDPR4All Automates the DPIA Workflow

GDPR4All's DPIA module guides you through the entire process:

  • Structured templates cover all Article 35(7) requirements — systematic description, necessity assessment, risk evaluation, and mitigation measures.
  • Risk matrix provides a visual 5x5 grid for assessing likelihood and impact, with automatic risk level calculation.
  • Processing activity linking connects DPIAs to your ROPA entries, ensuring consistency and traceability.
  • Approval workflow supports the full lifecycle: Draft, Under Review, Approved, or Rejected — with role-based permissions for reviewers and approvers.
  • Audit trail records every change, status transition, and decision for accountability purposes.

Summary

A DPIA is both a legal obligation and a practical safeguard. It forces you to think systematically about data protection risks before they materialise. Where your processing involves profiling, large-scale sensitive data, systematic monitoring, or two or more of the EDPB's nine criteria, a DPIA is not optional. Conduct it early, involve your DPO, document it thoroughly, and revisit it whenever the processing changes.

Related Articles

The Accountability Principle

Article 5(2) accountability — what records to keep and how GDPR4All helps you demonstrate compliance

5 min read· Updated 26 Feb 2026

DPIA Workflows

Create Data Protection Impact Assessments, evaluate risks, and manage the approval workflow

7 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Was this article helpful?

Previous

Breach Notification Requirements

Next

International Data Transfers