Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is a structured process required by Article 35 of the GDPR when a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. It is a key tool for operationalising the principles of data protection by design and accountability.

A DPIA is mandatory in at least three scenarios: systematic and extensive evaluation of personal aspects based on automated processing, including profiling; processing on a large scale of special categories of data or personal data relating to criminal convictions; and systematic monitoring of a publicly accessible area on a large scale. Supervisory authorities also publish lists of processing operations that require or do not require a DPIA.

The DPIA must contain at minimum: a systematic description of the envisaged processing operations and their purposes (including any legitimate interest pursued), an assessment of the necessity and proportionality of the processing in relation to the purposes, an assessment of the risks to the rights and freedoms of data subjects, and the measures envisaged to address those risks including safeguards, security measures, and mechanisms to demonstrate compliance.

The intersection of DPIAs with the EU AI Act is particularly significant. The AI Act's fundamental rights impact assessment (FRIA) required for certain deployers of high-risk AI systems builds upon the DPIA concept. Where a high-risk AI system processes personal data, the DPIA under the GDPR and the FRIA under the AI Act should be conducted in a coordinated manner to avoid duplication and ensure comprehensive risk coverage. The European Data Protection Board has emphasised this need for a holistic approach to impact assessments across both regulatory frameworks.