A Data Protection Impact Assessment exists to answer one question before you start: could this processing put people at serious risk, and have you done enough about it? Done well, a DPIA is your evidence of accountability. Done as a box-tick, it is a liability waiting to be quoted back at you.
The goal is not a perfect document — it is a defensible decision. A regulator reviewing a DPIA wants to see that you identified the risks honestly and took proportionate steps. That is achievable with a clear, repeatable method.
When a DPIA is required
You must run one when processing is likely to result in a high risk to people’s rights and freedoms — and always in certain cases. Treat these as triggers:
- Systematic, extensive evaluation or profiling that informs significant decisions.
- Large-scale processing of special-category data (health, biometrics, beliefs).
- Systematic monitoring of a publicly accessible area at scale.
- New technologies, or combining datasets in ways individuals would not expect.
Describe the processing
Start factual: what data, whose, why, how, for how long, and who it is shared with. Map the data flow end to end. Most weak DPIAs fail here — a vague description makes every later judgement impossible to defend.
Necessity and proportionality
Ask whether you actually need this processing to achieve the purpose, and whether a less intrusive route exists. Document the lawful basis, how you honour data-subject rights, and why the data collected is the minimum required. “We might need it later” is not necessity.
Writing the DPIA after the system is live. The assessment is meant to shape the design — run it early enough that its conclusions can still change what you build.
Assess the risks to individuals
Focus on risk to people, not just to the business. For each risk, consider the likelihood and the severity of harm — discrimination, loss of confidentiality, identity fraud, distress. A simple, consistent scale is enough; what matters is that the reasoning is visible.
Mitigate, then decide
- For each high risk, record the measures that reduce it — technical and organisational.
- Re-rate the residual risk after mitigation.
- If high risk remains and you cannot reduce it, consult your supervisory authority before proceeding.
- Record the sign-off and the date — the DPIA is a decision record, not a draft.
Keep it on file and review it
A DPIA is tied to a specific processing operation. When that operation changes — new data, new purpose, new vendor — revisit it. Keep it with the related records of processing and control evidence so the whole story sits in one place when someone asks.
Key takeaways
- Run a DPIA whenever processing is likely high-risk — and always for the defined trigger cases.
- A precise description of the processing is the foundation everything else rests on.
- Assess risk to individuals, mitigate, then record the residual risk and sign-off.
- Do it early enough to change the design, and revisit it when the processing changes.
Want DPIAs that stay linked to your live data map? Book a 30-minute demo and we will set up your GDPR records together.
This article is general guidance, not legal advice. Verify obligations and deadlines for your organisation with qualified counsel.