GDPR DPIA: when you need one and what it must contain (Art. 35)
By ComplyBricks · Last reviewed Jul 12, 2026
A Data Protection Impact Assessment (DPIA) is how GDPR makes you think about privacy risk before you start a high-risk processing activity, not after something goes wrong. Article 35 sets out when it's required and what it must cover.
When a DPIA is required
You must carry out a DPIA where processing is likely to result in a high risk to individuals' rights and freedoms — assessed before you begin. Art. 35(3) singles out three cases in particular:
- Systematic and extensive profiling with significant effects on individuals (including automated decision-making);
- Large-scale processing of special-category data (Art. 9) or data on criminal convictions/offences;
- Large-scale, systematic monitoring of a publicly accessible area.
Supervisory authorities also publish lists of processing operations that require a DPIA — check your national authority's list.
What a DPIA must contain (Art. 35(7))
At minimum:
- A systematic description of the processing and its purposes;
- An assessment of the necessity and proportionality of the processing relative to its purpose;
- An assessment of the risks to the rights and freedoms of data subjects;
- The measures planned to address those risks — safeguards, security, and mechanisms to protect personal data.
Roles and follow-up
- Involve your DPO. Where you have one, seek their advice (Art. 35(2)).
- Prior consultation (Art. 36). If the DPIA shows the processing would be high-risk and you can't mitigate it, you must consult your supervisory authority before proceeding.
- Keep it live. Review the DPIA if the processing changes.
Where it fits
A DPIA builds on your records of processing — you can't assess a processing activity you haven't mapped. For the wider picture, see GDPR compliance for SMBs.
References
- GDPR — Regulation (EU) 2016/679: Art. 35 (DPIA), Art. 36 (prior consultation)
This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.
See how one control satisfies ISO 27001, NIS2 and GDPR at once.
Explore the live demo →