The cheapest place to deal with a privacy risk is before it exists — in the design of a project. The Data Protection Impact Assessment is GDPR’s tool for exactly that, and running DPIAs well is one of the clearest signs of a proactive, mature approach to GDPR compliance.
This guide explains when a DPIA is required, what it must contain, the step-by-step process, how to reduce risk, and when you must consult the regulator before proceeding.
What a DPIA is
A Data Protection Impact Assessment (DPIA) is a structured process for identifying and minimising the data protection risks of a project before it goes live. Required by Article 35 for high-risk processing, it is how the privacy-by-design principle becomes a concrete, repeatable exercise.
Done early, a DPIA lets you spot and fix problems while the design is still flexible — far cheaper and easier than discovering them after launch. Done well, it is also strong evidence of accountability if a regulator ever asks.
When a DPIA is required
You must carry out a DPIA where processing is likely to result in a high risk to individuals. GDPR specifically flags three cases: systematic and extensive profiling with significant effects; large-scale processing of special category or criminal data; and large-scale systematic monitoring of a publicly accessible area.
Supervisory authorities also publish lists of operations that require a DPIA, so check your regulator’s guidance alongside these criteria.
Free resource
GDPR Policy Templates
Get a practical DPIA template and screening checklist.
Indicators of high risk
Beyond the headline cases, several factors point to high risk: evaluation or scoring, automated decisions with legal effects, large-scale processing, combining datasets, data about vulnerable people, innovative technology, and processing that prevents people exercising a right or using a service.
If two or more of these apply, a DPIA is strongly advisable even if you are unsure it is strictly mandatory — the assessment itself will tell you.
When in doubt, do one anyway
A DPIA is rarely wasted effort. Even where it is not strictly required, running a lightweight assessment is a good way to demonstrate that you considered privacy risks and to catch issues early. Many organisations make a short screening step standard for new projects, escalating to a full DPIA when the screening flags risk.
This habit turns privacy from an afterthought into a routine part of how you build.
What a DPIA must contain
Article 35 sets out the minimum content: a systematic description of the processing and its purposes; an assessment of the necessity and proportionality of the processing; an assessment of the risks to individuals; and the measures you will take to address those risks, including safeguards and security.
In other words: what are you doing, do you really need to, what could go wrong for people, and how will you reduce it.
The DPIA process step by step
A typical DPIA runs: describe the processing and data flows; assess necessity and proportionality; consult stakeholders (and your DPO); identify and rate the risks to individuals; decide measures to reduce each risk; record the outcome; and integrate the measures into the project.
It is iterative — as the design changes, the DPIA is revisited — not a one-off form completed at the end.
Assessing necessity and proportionality
A core part of the DPIA is asking whether the processing is genuinely necessary to achieve your purpose, and whether it is proportionate to the impact on individuals. Could you achieve the same goal with less data, less intrusive means, or stronger safeguards?
This is where DPIAs add real value: they force a deliberate justification rather than a default of collecting and processing whatever is convenient.
Identifying and reducing risks
For each risk — a breach exposing sensitive data, unfair automated decisions, function creep — assess the likelihood and severity of harm to individuals, then decide measures to reduce it: minimisation, pseudonymisation, access controls, human review, clearer transparency, shorter retention.
The goal is to bring the residual risk down to an acceptable level, documenting what you did and why.
Consulting the right people
A DPIA should not happen in a vacuum. Seek the advice of your DPO where you have one, involve the teams who understand the processing, and — where appropriate — seek the views of the individuals affected or their representatives.
Diverse input surfaces risks a single team would miss, and strengthens the assessment if it is ever scrutinised.
Prior consultation with the regulator
If, after applying all your measures, the processing would still be high risk, you must consult your supervisory authority before starting — this is “prior consultation”. The regulator can advise or, in serious cases, prohibit the processing.
In practice, a well-run DPIA usually reduces residual risk enough to avoid this step, but it is an important backstop for genuinely high-risk projects.
DPIAs and privacy by design
The DPIA is the operational heart of privacy by design. Running it early — while the project is still on the drawing board — is what lets you build safeguards in rather than bolt them on. Treating it as a launch-gate formality wastes its value.
Embed DPIA screening into your project and change processes so privacy risk is assessed as a matter of course.
Keeping DPIAs alive
A DPIA is not finished at sign-off. As the processing evolves — new data, new purposes, new technology — revisit the assessment to ensure the risks and measures still hold. Keep the records, because they are part of your accountability evidence.
A library of current DPIAs demonstrates a mature, proactive approach to privacy risk.
How ISpectra helps
Running effective DPIAs — and knowing when they are required — is a clear marker of mature GDPR compliance. ISpectra Technologies helps organisations build DPIA screening into their processes, run full assessments on high-risk projects, identify proportionate measures, and document outcomes so they stand up to scrutiny.
If a high-risk project is on your roadmap, a DPIA done early will save time, cost and risk later.
In one paragraph
A Data Protection Impact Assessment (DPIA), required by Article 35 for high-risk processing, is a structured way to identify and reduce privacy risks before a project launches. It must describe the processing, assess its necessity and proportionality, evaluate the risks to individuals, and set out measures to address them. Trigger a DPIA for large-scale special category processing, extensive profiling with significant effects, or large-scale public monitoring — and do one whenever risk is plausible. Run it early, consult your DPO and stakeholders, reduce residual risk, and consult the regulator if high risk remains. Done well, a DPIA is privacy by design in action.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
A worked example
Suppose a company plans to introduce facial-recognition access control at its offices. That immediately raises flags: it uses biometric special category data, it monitors people systematically, and it relies on innovative technology — so a DPIA is clearly required. The assessment describes the system and data flows, then asks the necessity question: do we actually need facial recognition, or would a key card achieve the same goal with far less intrusion?
If the company still wants to proceed, the DPIA evaluates the risks — a biometric breach, mis-identification, function creep into staff surveillance — and sets measures to reduce them: store biometric templates rather than images, encrypt them, restrict access, retain them only while employment lasts, offer a non-biometric alternative, and be transparent with staff. If, after all that, the residual risk is still judged high, the company must consult its supervisory authority before switching the system on. Walking through the DPIA this way often changes the design for the better — and sometimes shows that a simpler, less risky approach was the right answer all along.