GDPR · Article

Running a defensible DPIA

A Data Protection Impact Assessment is not paperwork for its own sake — it is the record that shows you weighed the risk to people before you processed their data. Here is a...

A Data Protection Impact Assessment exists to answer one question before you start: could this processing put people at serious risk, and have you done enough about it? Done well, a DPIA is your evidence of accountability. Done as a box-tick, it is a liability waiting to be quoted back at you.

The goal is not a perfect document — it is a defensible decision. A regulator reviewing a DPIA wants to see that you identified the risks honestly and took proportionate steps. That is achievable with a clear, repeatable method.

When a DPIA is required

You must run one when processing is likely to result in a high risk to people’s rights and freedoms — and always in certain cases. Treat these as triggers:

  • Systematic, extensive evaluation or profiling that informs significant decisions.
  • Large-scale processing of special-category data (health, biometrics, beliefs).
  • Systematic monitoring of a publicly accessible area at scale.
  • New technologies, or combining datasets in ways individuals would not expect.
”A DPIA is not proof you avoided all risk. It is proof you saw it clearly and acted in proportion.”

Describe the processing

Start factual: what data, whose, why, how, for how long, and who it is shared with. Map the data flow end to end. Most weak DPIAs fail here — a vague description makes every later judgement impossible to defend.

Necessity and proportionality

Ask whether you actually need this processing to achieve the purpose, and whether a less intrusive route exists. Document the lawful basis, how you honour data-subject rights, and why the data collected is the minimum required. “We might need it later” is not necessity.

Common pitfall

Writing the DPIA after the system is live. The assessment is meant to shape the design — run it early enough that its conclusions can still change what you build.

Assess the risks to individuals

Focus on risk to people, not just to the business. For each risk, consider the likelihood and the severity of harm — discrimination, loss of confidentiality, identity fraud, distress. A simple, consistent scale is enough; what matters is that the reasoning is visible.

Mitigate, then decide

  1. For each high risk, record the measures that reduce it — technical and organisational.
  2. Re-rate the residual risk after mitigation.
  3. If high risk remains and you cannot reduce it, consult your supervisory authority before proceeding.
  4. Record the sign-off and the date — the DPIA is a decision record, not a draft.

Keep it on file and review it

A DPIA is tied to a specific processing operation. When that operation changes — new data, new purpose, new vendor — revisit it. Keep it with the related records of processing and control evidence so the whole story sits in one place when someone asks.

Key takeaways

  • Run a DPIA whenever processing is likely high-risk — and always for the defined trigger cases.
  • A precise description of the processing is the foundation everything else rests on.
  • Assess risk to individuals, mitigate, then record the residual risk and sign-off.
  • Do it early enough to change the design, and revisit it when the processing changes.

Want DPIAs that stay linked to your live data map? Book a 30-minute demo and we will set up your GDPR records together.

This article is general guidance, not legal advice. Verify obligations and deadlines for your organisation with qualified counsel.

GDPRDPIARisk
Put it into practice

DPIAs that stay
linked to your data

Book a 30-minute demo and we will connect your DPIAs to a live data map and records of processing.