GDPR Data Protection Impact Assessment: Step-by-Step Guide

A Data Protection Impact Assessment (DPIA) is one of GDPR's most practical tools — yet it remains one of the most misunderstood. Many organizations treat it as a bureaucratic checkbox rather than what it actually is: a structured process for identifying and reducing privacy risks before they become incidents, fines, or headlines.

This guide walks you through DPIAs step by step, from determining when one is needed to producing a compliant assessment document.

When is a DPIA required?

GDPR Article 35(1) requires a DPIA when processing is "likely to result in a high risk to the rights and freedoms of natural persons." Article 35(3) then lists three cases where a DPIA is always mandatory:

Systematic and extensive profiling with significant effects — automated evaluation of personal aspects used to make decisions that produce legal effects or similarly significant effects. This includes credit scoring, insurance risk assessment, automated hiring decisions, and behavioral advertising based on extensive profiling.

Large-scale processing of special category data — health records, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation, or criminal offence data processed at scale. A hospital's patient record system, a genetic testing service, or a large-scale employee health monitoring programme would all trigger this criterion.

Systematic monitoring of publicly accessible areas — large-scale CCTV surveillance, Wi-Fi tracking in public spaces, or facial recognition systems deployed in public areas.

Beyond these mandatory cases, the European Data Protection Board (EDPB) guidelines identify nine criteria for assessing risk. If your processing meets two or more of these, a DPIA should be conducted: evaluation or scoring, automated decision-making with legal effects, systematic monitoring, sensitive data or highly personal data, data processed on a large scale, matching or combining datasets, data concerning vulnerable individuals (children, employees, patients), innovative use of technology, and processing that prevents individuals from exercising rights.

Check if you need a DPIA: Our free DPIA Helper starts with a screening step that checks your processing against all mandatory and EDPB criteria.

What a DPIA must contain

GDPR Article 35(7) specifies four minimum requirements:

1. A systematic description of the processing. What data is collected, from whom, how it is used, which systems are involved, who has access, and where the data goes. Include the purposes and legal basis. This is essentially a detailed data flow map for the specific processing activity.

2. An assessment of necessity and proportionality. Is this processing actually necessary to achieve the stated purpose? Could you achieve the same goal with less data, less intrusive methods, or shorter retention? If you are relying on consent, is it truly free and informed? If on legitimate interest, have you conducted a balancing test?

3. An assessment of risks to individuals. What could go wrong, and how would it affect the people whose data you process? Think beyond data breaches — risks include unauthorized access, purpose limitation violations, inaccurate data leading to wrong decisions, excessive collection, lack of transparency, discrimination, financial loss, reputational harm, and loss of autonomy.

4. Measures to address the risks. For each identified risk, what safeguards do you have in place or plan to implement? This includes technical measures (encryption, access control, pseudonymization), organizational measures (policies, training, audits), and contractual measures (DPAs with processors, data sharing agreements).

Step-by-step DPIA process

Step 1: Screen for DPIA requirement

Before investing time in a full DPIA, determine whether one is actually needed. Run through the EDPB criteria above. If your processing clearly does not meet any of them, document your reasoning (the screening itself is evidence of good practice) and move on. If it meets two or more, proceed with a full DPIA.

Step 2: Describe the processing

Document the what, why, who, and how of the processing. Be specific — "we collect customer data" is not enough. Specify exactly which data fields, from which sources, through which systems, for which purposes, under which legal basis, with what retention period, and shared with which parties. Our Data Flow Mapping Tool can help you structure this information.

Step 3: Assess necessity and proportionality

Challenge your own processing. Ask hard questions: Do you really need all this data? Could you achieve the purpose with anonymized or aggregated data instead? Is your retention period the minimum necessary? Are you processing data for the purpose you told people about, or has scope crept? This is where DPIAs deliver the most practical value — they force you to justify your data practices.

Step 4: Identify and assess risks

For each potential risk, assess both the likelihood (how probable is this?) and the severity (how bad would it be for affected individuals?). Consider risks from the perspective of data subjects, not just your organization. A data breach that is a minor PR issue for you could be devastating for the individuals whose health records or financial data were exposed.

Step 5: Identify and evaluate mitigation measures

For each risk, document what controls are already in place and what additional measures are needed. Common mitigation measures include encryption (at rest and in transit), pseudonymization, access controls (role-based, least privilege), data minimization (collect only what is necessary), automated deletion at end of retention, staff training, regular audits, incident response procedures, and DPAs with all processors.

Step 6: Consult the DPO

GDPR Article 35(2) requires the controller to seek the advice of the Data Protection Officer when carrying out a DPIA. If you have a DPO (mandatory for public bodies, large-scale monitoring, and large-scale special category processing), they must be consulted. The DPO reviews the DPIA and provides recommendations but does not need to conduct it personally.

Step 7: Document and decide

If the DPIA shows that risks can be sufficiently mitigated, document the DPIA and proceed with the processing (implementing all identified measures). If residual risks remain high despite mitigation, you must consult the supervisory authority under Article 36 before proceeding. The DPA has 8 weeks to respond with written advice.

DPIA best practices

Start early. A DPIA should be conducted before processing begins — not as an afterthought. Ideally, it is part of the project design phase, when changes are still cheap and easy.

Involve the right people. A DPIA is not a solo exercise for the DPO. Include the project team, IT security, legal, and business stakeholders who understand the processing from different angles.

Be honest about risks. The DPIA is an internal document — understating risks to make the assessment look better defeats its purpose. Regulators are far more critical of organizations that failed to identify obvious risks than those that identified risks and implemented reasonable mitigations.

Keep it alive. A DPIA is not a one-time document. Review and update it when the processing changes, when new risks emerge, when technology evolves, or when the regulatory landscape shifts. Note the review date and trigger conditions for re-assessment.

Consider data subject views. Article 35(9) suggests seeking the views of data subjects or their representatives where appropriate. This is not always required, but for processing that significantly affects individuals (such as employee monitoring), consulting affected parties can improve both the DPIA and the processing design.

What happens if you skip the DPIA?

Failure to conduct a required DPIA is itself a GDPR violation, subject to fines of up to €10 million or 2% of annual turnover (Article 83(4)). Multiple DPAs have issued fines specifically for missing or inadequate DPIAs — it is one of the easier violations to prove, since the obligation and the absence are both clearly documented.

Beyond fines, skipping a DPIA means you may be processing data with unidentified and unmitigated risks. When those risks materialize as breaches or complaints, the absence of a DPIA becomes an aggravating factor in any enforcement action.