What is Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment (DPIA) is a documented process required by GDPR Article 35 to identify and minimise the data-protection risks of a processing activity that is likely to result in a high risk to individuals' rights and freedoms — for example large-scale profiling, special-category data, or systematic monitoring.

A DPIA forces you to assess a high-risk processing activity before you start it: describe the processing, judge its necessity and proportionality, identify risks to individuals, and decide on measures to reduce them. It is mandatory when, for example, you deploy large-scale profiling, process special-category data at scale, or systematically monitor a public area; supervisory authorities publish lists of operations that always require one.

For instance, a startup rolling out AI-driven applicant screening would carry out a DPIA before launch, documenting how it limits bias and protects candidate data. If significant residual risk remains, the controller must consult its supervisory authority before processing.

A DPIA template gives you the structure and prompts auditors and regulators expect, so the assessment goes faster and is consistent across projects. The document is not the safeguard, though — the protections you actually design in, and the decisions you make as a result, are what reduce real-world risk.

Related terms: Risk Assessment · Records of Processing Activities (RoPA) · Data Protection Officer (DPO) · Algorithmic Impact Assessment

Frequently asked questions

When is a DPIA legally required?
Under Article 35, whenever processing is likely to result in a high risk to individuals — including large-scale special-category processing, systematic large-scale monitoring, and systematic profiling with significant effects. Supervisory authorities also publish mandatory-DPIA lists.
Who is responsible for carrying out a DPIA?
The data controller is responsible. Where one is appointed, the Data Protection Officer advises on the DPIA and monitors its performance, but accountability stays with the controller.
What happens if the DPIA shows high residual risk?
If you cannot reduce a high risk through mitigation measures, Article 36 requires you to consult your supervisory authority before beginning the processing.

Toolkits that cover Data Protection Impact Assessment (DPIA)

EU GDPR

GDPR Compliance Pack for Small Business

14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.

$7930% off with codeView toolkit

Learn more in our GDPR guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.