GDPR DPIA: when you need one and what it must contain (Art. 35)

By ComplyBricks · Last reviewed Jul 12, 2026

A Data Protection Impact Assessment (DPIA) is how GDPR makes you think about privacy risk before you start a high-risk processing activity, not after something goes wrong. Article 35 sets out when it's required and what it must cover.

When a DPIA is required

You must carry out a DPIA where processing is likely to result in a high risk to individuals' rights and freedoms — assessed before you begin. Art. 35(3) singles out three cases in particular:

  • Systematic and extensive profiling with significant effects on individuals (including automated decision-making);
  • Large-scale processing of special-category data (Art. 9) or data on criminal convictions/offences;
  • Large-scale, systematic monitoring of a publicly accessible area.

Supervisory authorities also publish lists of processing operations that require a DPIA — check your national authority's list.

What a DPIA must contain (Art. 35(7))

At minimum:

  1. A systematic description of the processing and its purposes;
  2. An assessment of the necessity and proportionality of the processing relative to its purpose;
  3. An assessment of the risks to the rights and freedoms of data subjects;
  4. The measures planned to address those risks — safeguards, security, and mechanisms to protect personal data.

Roles and follow-up

  • Involve your DPO. Where you have one, seek their advice (Art. 35(2)).
  • Prior consultation (Art. 36). If the DPIA shows the processing would be high-risk and you can't mitigate it, you must consult your supervisory authority before proceeding.
  • Keep it live. Review the DPIA if the processing changes.

Where it fits

A DPIA builds on your records of processing — you can't assess a processing activity you haven't mapped. For the wider picture, see GDPR compliance for SMBs.

References

  • GDPR — Regulation (EU) 2016/679: Art. 35 (DPIA), Art. 36 (prior consultation)

This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.

See how one control satisfies ISO 27001, NIS2 and GDPR at once.

Explore the live demo →