GDPR Article 35-01: When to Conduct a Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) is your first line of defense against high-risk processing activities. GDPR mandates DPIAs before you process personal data in ways that could threaten individual rights—but knowing when one is actually required saves resources and prevents compliance gaps.
What this means
You must conduct a DPIA before starting any processing activity that presents a high risk to the rights and freedoms of individuals. Three categories always trigger this requirement: (1) systematic evaluation or profiling based on automated processing, (2) large-scale processing of special categories of personal data (health, biometrics, criminal records, etc.), and (3) systematic monitoring of publicly accessible areas. A DPIA documents the processing purpose, necessity, risks, and safeguards—essentially proving you've thought through privacy implications before launch.
How to comply
- 1.Identify all processing activities in your organization, particularly those involving automation, large datasets, sensitive data types, or public monitoring.
- 2.Classify activities by risk level: Does this involve automated decision-making? Are you processing data at scale? Does it affect vulnerable groups or track people in public spaces?
- 3.Trigger a DPIA for any processing meeting the three mandatory categories: automated profiling, special category data at scale, or systematic public monitoring.
- 4.Document the DPIA including: data types, purposes, legal basis, recipients, retention periods, technical/organizational safeguards, and risk assessment.
- 5.Consult your Data Protection Officer (DPO) if one is required or if the DPIA identifies residual high risks.
- 6.Review and update DPIAs when processing purposes, methods, or risks materially change.
- 7.Maintain completed DPIAs as evidence of compliance during audits or investigations.
Evidence auditors look for
- DPIA document for an automated hiring tool that screens CVs using machine learning
- Risk assessment for a customer database combining transaction history, location data, and behavioral profiling
- Monitoring impact assessment for CCTV systems or visitor tracking in public-facing office spaces
- Special category data DPIA for HR systems processing health or diversity information
- DPO consultation notes confirming whether a DPIA was required and approved
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates DPIA triggers by scanning your processing inventory and flagging activities requiring assessment, then guides you through structured documentation to ensure every mandatory DPIA is completed and auditable.
See how GRCWatch handles this control automatically
Start free trial