What is a DPIA under GDPR Article 35?
A Data Protection Impact Assessment (DPIA) is a structured assessment used to identify, evaluate, and reduce privacy risks before high-risk processing begins. Under GDPR Article 35, a DPIA is mandatory where planned processing is likely to result in a high risk to the rights and freedoms of natural persons.
A DPIA is not just a compliance form. It is the point where a privacy team records what a project will do with personal data, why the processing is necessary, what could go wrong for individuals, and which controls will reduce the risk before launch. Acompli treats the completed DPIA as source evidence: approved answers can feed the risk register, Article 30 RoPA entries, and the wider compliance record.
When is a DPIA required?
GDPR Article 35 requires a DPIA where processing is likely to result in a high risk to individuals. The Irish Data Protection Commission says DPIAs are mandatory for new high-risk processing projects and should be carried out early enough to influence the project design. The UK ICO uses the same core test under UK GDPR: if high risk is likely, the DPIA must be completed before processing starts.
Common triggers include systematic monitoring, large-scale processing of special-category data, automated decision-making with significant effects, use of new technologies, profiling, processing involving vulnerable people, and processing where individuals may find it difficult to exercise their rights.
What should a DPIA contain?
A defensible DPIA should show the reasoning behind the processing, not just the final decision. At minimum it should contain:
- A clear description of the processing operation, data flows, systems, suppliers, and affected individuals.
- An assessment of necessity and proportionality, including lawful basis and data minimisation.
- The risks to individuals, including likelihood, severity, and affected rights.
- The measures that reduce those risks, including technical, organisational, contractual, and governance controls.
- Consultation records, DPO advice where applicable, sign-off, residual risk, and review dates.
How do you carry out a DPIA?
The DPC describes DPIA work as a practical project process: identify whether a DPIA is required, describe the information flows, identify risks, evaluate solutions, sign off the outcome, and integrate the resulting controls back into the project plan. That final step matters. A DPIA that does not change the project, assign actions, or update records is only partial evidence of accountability.
In Acompli, this means a DPIA starts from a structured template, draws context from the organisational knowledge base, routes responses through AI-assisted drafting and human review, then carries approved findings downstream into risk and RoPA workflows.
What is the difference between a DPIA and a RoPA?
A DPIA and a RoPA answer different questions. A DPIA asks whether a specific activity is high risk and what controls are needed before it proceeds. A RoPA records the organisation's processing activities under GDPR Article 30. In practice they should be connected: a completed DPIA contains the purposes, categories of data, recipients, transfers, retention, safeguards, and review decisions that a good Article 30 record also needs.
What are examples of processing that may need a DPIA?
Examples include employee monitoring, large-scale use of health data, customer scoring, biometric access systems, AI-assisted decisioning, children's services, location tracking, connected-device telemetry, and any project combining datasets in a way that changes what individuals could reasonably expect.
When must the DPC or ICO be consulted?
If the DPIA shows that a high risk remains after mitigation, the controller may need to consult the relevant supervisory authority before processing. The DPC describes this as prior consultation under Article 36 where intended processing would result in high risk in the absence of mitigating measures.
How Acompli supports DPIA work
Acompli is built around the work pattern a DPIA requires: structured templates, organisation-specific context, AI-assisted drafting, compliance gating, reviewer approval, downstream risk extraction, and Article 30 mapping. That makes the DPIA useful beyond sign-off. The approved assessment becomes evidence that can be reused when the processing activity changes, a regulator asks for records, or a similar project starts later.
DPIA checklist for privacy teams
- Screen the project early, before design decisions are fixed.
- Map the systems, suppliers, data categories, recipients, and transfer locations.
- Record lawful basis, necessity, proportionality, and data minimisation.
- Identify risks to people, not only risks to the organisation.
- Assign mitigation owners and review dates.
- Connect approved outputs to the risk register and Article 30 RoPA.
- Review the DPIA when the processing, supplier, technology, or risk profile changes.
Frequently asked questions
What is a DPIA?
A Data Protection Impact Assessment (DPIA) is a structured assessment used to identify and reduce data protection risks before high-risk processing begins. Under GDPR Article 35, controllers must carry out a DPIA where processing is likely to result in a high risk to individuals.
When is a DPIA required under GDPR?
A DPIA is required when planned processing is likely to result in a high risk to the rights and freedoms of natural persons, especially where new technologies, large-scale monitoring, special-category data, vulnerable individuals, or automated decision-making are involved.
What should a DPIA contain?
A DPIA should describe the processing, assess necessity and proportionality, identify risks to individuals, set out measures to address those risks, record consultation and sign-off, and feed the outcome back into the project plan.
What is the difference between a DPIA and a RoPA?
A DPIA is a risk assessment for a specific high-risk processing activity under Article 35 GDPR. A RoPA is the Article 30 register of processing activities across the organisation. DPIA findings often provide the evidence used to create or update RoPA entries.
Can Acompli help complete DPIAs?
Yes. Acompli provides structured DPIA templates, AI-assisted drafting, evidence grounding, human review, downstream risk extraction, and Article 30 field mapping so approved DPIAs can support the wider compliance record.