DPIA Under GDPR: Step-by-Step Implementation Guide

A data protection impact assessment is the compliance instrument that supervisory authorities scrutinise most aggressively when investigating high-risk processing. Between 2018 and 2025, EU data protection authorities issued over 180 enforcement actions citing DPIA failures, according to enforcement data compiled by CMS Law. Yet many organisations still treat DPIAs as checkbox exercises rather than structured risk management tools.

This guide provides a concrete, step-by-step implementation methodology for conducting a data protection impact assessment that meets Article 35 requirements and withstands regulatory scrutiny. It is aimed at DPOs, compliance officers, and project managers who need to operationalise the DPIA process rather than simply understand the theory.

When Is a Data Protection Impact Assessment Mandatory?

Article 35(1) of the GDPR requires a DPIA whenever processing is “likely to result in a high risk to the rights and freedoms of natural persons.” The threshold is forward-looking: the assessment must happen before processing begins, based on the anticipated risk profile rather than demonstrated harm.

The Three Explicit Triggers

Article 35(3) identifies three categories where a DPIA is always required:

1. Systematic and extensive profiling with significant effects – automated decision-making producing legal or similarly significant outcomes, such as credit scoring or automated recruitment screening.
2. Large-scale processing of special category data – Article 9 data (health, biometric, genetic, political opinions, etc.) or Article 10 criminal conviction data processed at scale.
3. Systematic monitoring of publicly accessible areas on a large scale – CCTV networks, Wi-Fi tracking, drone surveillance, or facial recognition in public spaces.

The EDPB Nine-Criteria Framework

Beyond the three explicit triggers, the EDPB Guidelines on DPIAs (WP 248 rev.01) identify nine criteria for assessing whether processing is likely to result in high risk. When a processing activity meets two or more of these criteria, a DPIA should generally be conducted:

• Evaluation or scoring (including profiling and predicting)
• Automated decision-making with legal or similarly significant effect
• Systematic monitoring of data subjects
• Sensitive data or data of a highly personal nature
• Data processed on a large scale
• Matching or combining datasets from different sources
• Data concerning vulnerable data subjects (children, employees, patients)
• Innovative use or application of new technological or organisational solutions
• Processing that itself prevents data subjects from exercising a right or using a service or contract

A 2024 survey by the IAPP found that 68% of organisations that applied the nine-criteria test identified processing activities requiring a DPIA that would have been missed by relying solely on the three Article 35(3) triggers.

How Do National DPA Blacklists Affect Your Obligations?

Article 35(4) requires each national supervisory authority to publish a list of processing operations that require a DPIA. These lists supplement the GDPR criteria and can impose additional obligations specific to the jurisdiction.

Key examples: the CNIL (France) lists 14 processing types including biometric identification and large-scale health data research; the ICO (UK) covers innovative technology combined with profiling and systematic processing of children’s data; the BfDI (Germany) covers employee monitoring, marketing profiling, and telecommunications traffic data.

Controllers operating across multiple member states must check every relevant blacklist and apply the most restrictive requirements. Mapping processing activities against these lists should be part of your GDPR compliance checklist.

Step-by-Step DPIA Implementation Process

A data protection impact assessment is a process, not a document. The output is documentation, but the value lies in the structured analysis. The following methodology maps directly to the four minimum elements specified in Article 35(7).

Step 1: Systematic Description of the Processing

Document the processing operations in sufficient detail for a third party to understand exactly what happens to personal data:

• Purpose and legal basis under Article 6 GDPR, including the balancing test where legitimate interest is relied upon
• Data categories and sources, distinguishing between direct collection and third-party data
• Data flows through systems, cross-referenced with your Records of Processing Activities
• Retention periods and the criteria used to determine them
• Technology stack, particularly any automated decision-making components

Insufficient granularity is a common failure mode. The Belgian DPA’s EUR 200,000 fine against Brussels Airport arose in part because the thermal camera processing description lacked adequate detail about data flows and retention.

Step 2: Necessity and Proportionality Assessment

Article 35(7)(b) requires assessing “the necessity and proportionality of the processing operations in relation to the purposes.” The assessment must answer: Could the purpose be achieved with less data or with anonymised data? Is the scope limited to what is strictly necessary? Are retention periods the shortest possible?

Document each question and the reasoning behind your answers. Where alternatives were considered and rejected, explain why. This analysis is directly tied to the data privacy principles of data minimisation, purpose limitation, and storage limitation.

Step 3: Risk Assessment

Evaluate threats to data subjects’ rights and freedoms. For each risk, assess likelihood and severity on a defined scale (low/medium/high/very high). Structure the analysis around confidentiality risks (unauthorised access, breaches), integrity risks (inaccurate data leading to wrong decisions), availability risks (data loss), and rights and freedoms risks (discrimination, financial harm, loss of autonomy).

For each risk, document the specific scenario, affected data subjects, existing controls, and residual risk level. Generic risk registers copied between DPIAs do not satisfy Article 35(7) requirements. According to a 2025 DLA Piper survey, 41% of organisations that received DPIA-related enforcement notices were cited for risk assessments that were too generic.

Step 4: Mitigation Measures and Residual Risk

For each risk rated medium or above, define concrete mitigation measures: technical (encryption, pseudonymisation, access controls, audit logging), organisational (staff training, incident response procedures, regular audits), and contractual (Article 28 data processing agreements, data sharing agreements with defined safeguards).

After applying measures, reassess each risk to determine the residual level. If residual risk remains high despite all reasonable measures, Article 36 requires prior consultation with the supervisory authority.

Prior Consultation Under Article 36

When a DPIA shows that residual risk cannot be sufficiently reduced, Article 36 requires the controller to consult the supervisory authority before processing begins. The controller submits the DPIA along with information about responsibilities, purposes, means, safeguards, and DPO contact details.

The supervisory authority must respond within eight weeks (extendable by six weeks for complex cases). It may provide written advice, order modifications to the processing under Article 58, or prohibit the processing entirely. In practice, prior consultations remain rare – the Irish DPC reported only 23 requests in 2024, despite overseeing some of the largest data processors in Europe.

Enforcement Examples That Shaped DPIA Practice

Enforcement actions show what supervisory authorities expect:

• Swedish DPA vs. Facial Recognition in Schools (2019): SEK 200,000 fine for using facial recognition to monitor student attendance without a DPIA.
• Belgian DPA vs. Brussels Airport (2020): EUR 200,000 fine for deploying thermal cameras during COVID-19 without a DPIA – urgency does not waive the obligation.
• Greek DPA vs. PwC (2022): EUR 150,000 fine for systematic employee monitoring without a DPIA.
• CNIL vs. Clearview AI (2022): EUR 20 million fine; the absence of a DPIA was cited as an aggravating factor for large-scale biometric processing.

These cases confirm that authorities enforce DPIA obligations regardless of sector, organisation size, or whether additional compliance issues exist.

Integrating DPIAs into Your Compliance Programme

A data protection impact assessment must connect to your broader GDPR governance framework: link outputs to your Records of Processing Activities, establish review triggers when processing changes (Article 35(11)), and embed DPIA screening into project management workflows. Legiscope streamlines this integration by connecting DPIA workflows directly to processing records and compliance documentation.

Organisations that embed DPIAs into project governance report completing assessments 40% faster and identifying more risks at earlier stages, according to a 2025 benchmark study by the Centre for Information Policy Leadership.

FAQ

What is the difference between a DPIA and a privacy impact assessment?

A DPIA has a specific legal meaning under GDPR Article 35. A privacy impact assessment (PIA) is a broader concept that predates the GDPR and may not include all four elements required by Article 35(7). Any assessment conducted to satisfy GDPR obligations must meet the Article 35 requirements regardless of terminology.

Can a single DPIA cover multiple processing activities?

Yes. Article 35(1) permits a single DPIA to address “a set of similar processing operations that present similar high risks.” A retail chain deploying identical CCTV across all stores could conduct one DPIA with annexes for location-specific variations, provided the risk profile is genuinely similar.

How often should a DPIA be reviewed?

Article 35(11) requires review “at least when there is a change in the risk represented by processing operations.” In practice, supervisory authorities recommend at least annual reviews for high-risk processing, and immediate review upon material changes such as new data recipients, system migrations, or significant volume increases.

Does a DPIA guarantee that processing is lawful?

No. A DPIA assesses risk and identifies mitigation measures, but does not establish a legal basis for processing. You still need a valid legal basis under Article 6, compliance with data subject rights, adequate security measures, and all other GDPR requirements. A DPIA is one component of accountability, not a substitute for comprehensive compliance.