- GDPR Article 35: a DPIA is mandatory when processing is "likely to result in a high risk" to individuals
- Must be done before processing begins — not after implementation
- Three scenarios always require a DPIA: systematic profiling, large-scale special category data, systematic public monitoring
- If residual risk is still high after mitigation, you must consult your supervisory authority before proceeding
A Data Protection Impact Assessment (DPIA) is a systematic process for identifying and minimising the data protection risks of a new project, system, or change in processing. It is not optional when high-risk processing is involved — Article 35 of GDPR makes it mandatory, and failing to conduct one when required can itself attract regulatory action.
Related HubSecure buying path
AML/KYC & Onboarding guideclient onboarding softwareAML/KYC moduleSumsub comparisonAML/KYC compliance software guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
When is a DPIA required?
A DPIA is required when processing is "likely to result in a high risk" to individuals' rights and freedoms. GDPR Article 35(3) specifies three cases that always require a DPIA:
- Systematic and extensive profiling with significant effects (including automated decision-making)
- Large-scale processing of special category data (health, biometric, criminal offences, etc.)
- Systematic large-scale monitoring of publicly accessible areas (CCTV, tracking)
National supervisory authorities publish lists of processing operations that require a DPIA in their jurisdiction. The EDPB has published criteria: if two or more of the following factors apply, a DPIA should be conducted:
- Evaluation or scoring (including profiling)
- Automated decision-making with significant effect
- Systematic monitoring
- Sensitive data or data of a highly personal nature
- Data processed on a large scale
- Matching or combining datasets
- Data concerning vulnerable subjects (children, employees, patients)
- Innovative use of technology (AI, biometrics, IoT)
- Processing that prevents individuals from exercising rights or accessing services
Timing matters: A DPIA must be completed before processing begins. Conducting it retrospectively — after implementation — does not satisfy the requirement, and cannot undo a violation that has already occurred.
What a DPIA must contain
GDPR Article 35(7) sets out the minimum content:
- Description of the processing — what data, for what purpose, by what means, by whom
- Assessment of necessity and proportionality — is the processing necessary and proportionate to the purpose?
- Assessment of risks — to the rights and freedoms of data subjects, including likelihood and severity
- Measures to address risks — technical and organisational safeguards, with residual risk assessment
How to conduct a DPIA: step by step
Step 1: Identify the need
Screen the proposed processing against the criteria above. If two or more factors apply, proceed with a full DPIA. Document the screening decision even if you conclude a DPIA is not required.
Step 2: Describe the processing
Map the data flows: what personal data will be collected, from whom, how it will be stored, who will have access, what decisions will be made, and to whom it may be disclosed. Include sub-processors.
Step 3: Assess necessity and proportionality
Is there a less privacy-invasive way to achieve the same purpose? Could you use less data, anonymised data, or process data locally instead of sending it to the cloud? Document your reasoning.
Step 4: Identify and assess risks
For each risk, assess the likelihood and severity of potential harm to individuals. Harms include: inability to access services, financial loss, reputational damage, discrimination, identity theft, loss of confidentiality of professional privilege data.
Step 5: Identify mitigation measures
For each risk, identify technical and organisational controls that reduce the likelihood or severity. Examples: encryption, access controls, pseudonymisation, staff training, contractual safeguards, data minimisation.
Step 6: Document residual risk and decide
After applying mitigations, what risk remains? If residual risk is acceptable, you may proceed — and should document this conclusion. If residual risk is still high, you must consult your supervisory authority before processing.
Step 7: Involve the DPO and data subjects
Where a DPO is appointed, their advice must be sought. The views of data subjects or their representatives should also be sought where feasible (Article 35(9)).
Living document: A DPIA is not a one-time exercise. It must be reviewed and updated whenever the nature, scope, context, or purposes of processing change significantly — including when you adopt new technology or expand to new use cases.
Do SMEs need to conduct DPIAs?
Yes, if the processing meets the high-risk criteria. The obligation applies to all controllers regardless of size. The GDPR exemptions for SMEs relate primarily to the Record of Processing Activities (Article 30), not to DPIAs.
What is prior consultation?
If the DPIA shows residual high risk that cannot be mitigated, Article 36 requires you to consult your supervisory authority before starting to process. The SA has up to 8 weeks (extendable to 14 weeks) to respond with written advice.
DPIA templates and compliance documentation
HubSecure's compliance module includes DPIA templates, risk scoring frameworks, and document version control to keep your assessments audit-ready.
Book a demoReviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.