Data Protection Impact Assessment (DPIA) is a risk assessment process that the General Data Protection Regulation (GDPR) advises data controllers and processors to carry out. It is not mandatory for everyone. Still, it does help in determining the potential risks that may arise while handling personal data and helps to minimize or eliminate them. The DPIA is an important tool to analyze whether your organization meets the GDPR standards.  Please read our guide to GDPR for detailed info on the Regulation.

This article briefly discusses why the DPIA is necessary, when is it required, and how to implement it.

Why is DPIA Important?

The DPIA makes your organization several steps closer to GDPR compliance. Conducting a DPIA will assist in identifying the measures the organization needs to adapt to be compliant (GDPR compliance checklist). Non-compliance could land you in legal trouble. The fines are massive – up to 4% of annual global turnover or €20 million, whichever is higher. You could also face strict actions that will harm your organization’s reputation. Read more about GDPR fines and penalties here.

Identifying risks and handling them early in the process will minimize any risk of such consequences, and plan and manage the project’s finances better. Moreover, documenting the assessment process and findings will help in avoiding potential threats and help in being accountable.

When is DPIA Needed?

Per Article 35 of the GDPR, any organization that does large-scale processing of data, and its nature and purpose of the processing are likely to result in a high risk to the rights and freedom of the data subjects is liable to do the DPIA.

Following are the scenarios in which the DPIA should necessarily be carried out:

The DPIA is also necessary if the processing requires the use of innovative technologies, personal data of children, biometric data, or tracking location or behavior of data subjects.

How is DPIA Implemented?

Organizations should implement the DPIA at the inception of a project before processing the data. It should begin with identifying the need for such an assessment first. An extensive DPIA template (.docx direct download) form is available on ICO’s website. Organizations can make use of that or create one of their own to document the assessment, per the guidelines on the DPIA by Article29 working party (PDF direct download).

The DPIA steps recommended by ICO:

DPIA flowchart - ICO

The assessment document should at least contain the following information:

  • The nature, scope, context, and purpose of the processing.
  • The assessment of the lawful basis of the processing.
  • Identifying potential risks to rights and freedom of data subjects, its source, and nature. Also, risks relating to compliance in such cases.
  • Identifying the appropriate measures to tackle such risks and protecting the personal data, and to avoid any compliance-related issues that may arise as a result of the risks.


Make sure the DPIA is carried out under the supervision of a Data Protection Officer (DPO) if your organization has appointed one, or a professional. Execute each step carefully and seek legal help whenever needed. You do not have to send every DPIA report to the respective Data Authority. However, if the potential risk is high, and your organization alone cannot minimize it, consult them for guidance. You cannot proceed with the processing before consulting the authority and following their instructions. Nevertheless, always save a copy of the report with you.

Disclaimer: This article is not legal advice. The sole purpose of the article is to share general information with the readers. Therefore, for any legal query and help, please contact a lawyer or a professional in the area.