DPIA Requirements in Ireland and the UK: A GDPR Article 35 Compliance Guide
A Data Protection Impact Assessment (DPIA) is mandatory before any processing likely to result in a high risk to individuals, under Article 35 of the EU GDPR in Ireland and the UK GDPR in the UK. This guide compares how the DPC and the ICO define the trigger, what the assessment must contain, and when you must consult the regulator first.

- Who it binds: any controller whose processing is likely to result in a high risk to individuals, in Ireland under the EU GDPR and in the UK under the UK GDPR.
- Who enforces it: the Data Protection Commission (DPC) in Ireland and the Information Commissioner's Office (ICO) in the UK.
- When it must happen: before the processing starts, running alongside project design rather than after launch.
- Why it stands alone: not doing a required DPIA is a separate infringement, even if no breach or harm follows.
- Systematic and extensive evaluation of personal aspects based on automated processing, including profiling, where decisions produce legal or similarly significant effects on the individual.
- Processing of special category data (Article 9) or criminal-offence data (Article 10) on a large scale.
- Systematic monitoring of a publicly accessible area on a large scale.
- Beyond these, the DPC's national list and the ICO's national list each add further mandatory-DPIA scenarios specific to Ireland and the UK respectively.
- Screen against the three Article 35(3) categories first, then the national list for your jurisdiction.
- Ireland: apply the DPC's adopted Article 35(4) list of ten operations and the DPC's DPIA guidance.
- UK: apply the ICO's list of ten processing types plus the ICO screening checklist.
- Document the screening decision itself, including the case where you conclude a DPIA is not required.
- Evaluation or scoring, including profiling and prediction.
- Automated decision-making with legal or similarly significant effect.
- Systematic monitoring of individuals.
- Sensitive data or data of a highly personal nature, including special category and criminal-offence data.
- Processing on a large scale.
- Matching or combining datasets.
- Data concerning vulnerable data subjects, such as children, employees, or patients.
- Innovative use of new technological or organisational solutions.
- Processing that prevents individuals from exercising a right or using a service or contract.
- A systematic description of the processing operations and the purposes of the processing, including any legitimate interest pursued.
- An assessment of the necessity and proportionality of the processing in relation to its purposes.
- An assessment of the risks to the rights and freedoms of data subjects.
- The measures envisaged to address those risks, including safeguards, security measures, and mechanisms to ensure protection of personal data and demonstrate compliance.
- Trigger: high residual risk remaining after your planned mitigations.
- Ireland: consult the DPC under Article 36 GDPR; written advice within up to eight weeks, extendable by six weeks for complex cases.
- UK: consult the ICO under Article 36 UK GDPR; written advice within up to eight weeks, extendable by six weeks for complex cases.
- You must not start the high-risk processing while consultation is pending.
| Ireland (DPC, EU GDPR) | UK (ICO, UK GDPR) |
|---|---|
| Supervisory authority: Data Protection Commission (DPC). | Supervisory authority: Information Commissioner's Office (ICO). |
| Legal basis: Article 35 EU GDPR, with the Data Protection Act 2018 giving further effect to the GDPR. | Legal basis: Article 35 UK GDPR, with the Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025. |
| National trigger list: DPC list of ten operations adopted 15 November 2018 under Article 35(4). | National trigger list: ICO list of ten processing types under Article 35(4), plus an ICO screening checklist. |
| High-risk screen: Article 35(3) categories plus EDPB WP248 nine criteria. | High-risk screen: Article 35(3) categories plus ICO criteria aligned to WP248. |
| Required content: Article 35(7) four elements. | Required content: Article 35(7) four elements (materially identical). |
| Prior consultation: DPC under Article 36 GDPR; written advice within up to eight weeks, extendable by six weeks. | Prior consultation: ICO under Article 36 UK GDPR; written advice within up to eight weeks, extendable by six weeks. |
| Guidance source: DPC DPIA guidance and adopted Article 35(4) list. | Guidance source: ICO DPIA guidance, screening checklist, and sample template. |
- Starting too late: the DPIA must run before processing begins and alongside design, not after launch as a paperwork exercise.
- Skipping the screening record: failing to document why a DPIA was not needed is itself a gap, because you cannot show the decision was made.
- Stopping at high residual risk: identifying high residual risk but not triggering Article 36 prior consultation is a serious and common error.
- Treating it as static: not revisiting the DPIA when the system, vendor, purpose, or data categories change leaves the record inaccurate.
- Missing the four Article 35(7) elements: omitting the necessity and proportionality assessment, in particular, is a frequent weakness.
- Disconnected evidence: a DPIA that does not link back to the record of processing activities, transfer assessments, and supplier reviews is hard to defend on audit.
Where Acompli fits for DPIA requirements
Best for Irish and UK teams focused on audit defensibility: Acompli keeps each DPIA as a structured, evidence-linked record with the Article 35(7) answers, DPO advice, residual-risk decision, reviewer approval and downstream RoPA or risk-register links visible together. It drafts, classifies, surfaces and routes the work, but a human reviewer approves the assessment and owns the final necessity, proportionality and risk judgement.
Primary sources
- GDPR Article 35 - Data Protection Impact Assessment (EUR-Lex, Regulation (EU) 2016/679)
- DPC - Data Protection Impact Assessments guidance (Ireland)
- DPC - List of processing operations requiring a DPIA (Article 35(4), adopted 15 November 2018)
- ICO - Data Protection Impact Assessments (DPIAs) guidance (UK)
- EDPB / WP248 rev.01 - Guidelines on Data Protection Impact Assessment
- Data (Use and Access) Act 2025 (legislation.gov.uk)