What Is Data Protection Impact Assessment (DPIA)?
Data Protection Impact Assessment (DPIA) is a structured process under GDPR Article 35 for identifying and mitigating data protection risks before processing that is likely to result in high risk to individuals.
Data Protection Impact Assessment (DPIA) — a structured process under GDPR Article 35 for identifying and mitigating data protection risks before processing that is likely to result in high risk to individuals.
DPIAs are mandatory under GDPR when processing is likely to result in high risk — automated decision-making with significant effects on individuals, large-scale processing of sensitive data, or systematic monitoring of publicly accessible areas are the key triggers. AI systems that use personal data frequently require a DPIA. The DPIA must cover: description of the processing, necessity and proportionality assessment, risk assessment, and mitigating measures. Data protection authorities can order the controller not to proceed if risks cannot be mitigated.
Source: GDPR, Article 35
Plain-language explanation
DPIAs are mandatory under GDPR when processing is likely to result in high risk — automated decision-making with significant effects on individuals, large-scale processing of sensitive data, or systematic monitoring of publicly accessible areas are the key triggers. AI systems that use personal data frequently require a DPIA. The DPIA must cover: description of the processing, necessity and proportionality assessment, risk assessment, and mitigating measures. Data protection authorities can order the controller not to proceed if risks cannot be mitigated.
See where you stand on AI governance
Take the free 7-question maturity assessment and get a personalised action plan.
Free assessment — 3 minutes →