What Is a DPIA and When Do You Need One?

A Data Protection Impact Assessment (DPIA) is a structured process for identifying and minimising the data protection risks of a project or processing activity. Under Article 35 of the GDPR, a DPIA is mandatory in certain circumstances — and recommended as good practice in many others.

When Is a DPIA Required?

The GDPR requires a DPIA when processing is "likely to result in a high risk" to individuals. The European Data Protection Board highlights several triggers:

• Systematic monitoring of a publicly accessible area (e.g., CCTV with facial recognition)
• Large-scale processing of special categories of data, such as health records or biometric data
• Automated decision-making with legal or similarly significant effects, including profiling
• New technologies where the impact on data subjects is not yet fully understood

If your processing matches two or more of the EDPB criteria, a DPIA is almost certainly required. When in doubt, it is better to conduct one — the assessment itself is valuable regardless of the legal requirement.

Key Steps in a DPIA

1. Describe the Processing

Document what personal data is involved, how it flows through your systems, who has access, and how long it is retained. Include any third-party processors.

2. Assess Necessity and Proportionality

Explain why the processing is needed and confirm that you are not collecting more data than necessary. Identify the lawful basis and ensure your privacy notice covers the activity.

3. Identify and Evaluate Risks

Think from the data subject's perspective. What could go wrong? Consider risks like unauthorised access, accidental disclosure, data loss, and function creep. Rate each risk by likelihood and severity.

4. Define Mitigation Measures

For each identified risk, document the controls you will put in place — encryption, access restrictions, pseudonymisation, retention limits, staff training, and so on. Record the residual risk after mitigation.

5. Sign Off and Review

The DPIA should be reviewed by your Data Protection Officer (if you have one) and signed off by the project owner. Schedule a review date — DPIAs are living documents that should be updated when circumstances change.

Common Mistakes to Avoid

• Treating the DPIA as a one-off checkbox exercise instead of a living document
• Conducting the assessment after the project has already launched
• Failing to consult with stakeholders or the DPO early in the process
• Not documenting the decision when you determine a DPIA is not required

How ObligoBoard Helps

ObligoBoard includes a built-in DPIA obligation tracker that guides you through each step, records your findings, and stores the evidence you need for accountability. When it is time for an audit, everything is in one place.