DPIA Requirements in Ireland and the UK: A GDPR Article 35 Compliance Guide

What is a DPIA, and when is it required?

A Data Protection Impact Assessment (DPIA) is mandatory whenever processing is likely to result in a high risk to the rights and freedoms of individuals, and it must be completed before that processing begins. This rule comes from Article 35 of the EU GDPR, which applies in Ireland, and from the materially identical Article 35 of the UK GDPR, which applies in the United Kingdom. A DPIA is a structured analysis that describes the processing, tests whether it is necessary and proportionate, identifies risks to people, and records the measures put in place to reduce those risks.

The obligation is risk-triggered, not optional. If a new project, system, or processing change clears the high-risk threshold, the DPIA is a legal requirement rather than a best-practice document. For organisations operating across both Ireland and the UK, the core test is harmonised, but the regulator you answer to, the published trigger lists, and the prior-consultation route differ, which is why a single internal DPIA process needs to be jurisdiction-aware.

Is a DPIA a legal obligation in Ireland and the UK?

Yes. A DPIA is a binding legal obligation in both jurisdictions, not a discretionary exercise. In Ireland it is required under Article 35 of the EU GDPR (Regulation (EU) 2016/679), with the Data Protection Act 2018 giving further effect to the GDPR, and it is supervised by the Data Protection Commission (DPC). In the UK it is required under Article 35 of the UK GDPR, supplemented by the Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025, and supervised by the Information Commissioner's Office (ICO).

Failing to carry out a required DPIA, or carrying one out inadequately, is itself an infringement that can attract administrative fines and corrective action, independent of any harm caused by the underlying processing. Both regulators can also require you to consult them before high-risk processing proceeds. The practical takeaway is that the DPIA is enforceable in its own right, so the assessment must exist, be documented, and be producible on request.

• Who it binds: any controller whose processing is likely to result in a high risk to individuals, in Ireland under the EU GDPR and in the UK under the UK GDPR.
• Who enforces it: the Data Protection Commission (DPC) in Ireland and the Information Commissioner's Office (ICO) in the UK.
• When it must happen: before the processing starts, running alongside project design rather than after launch.
• Why it stands alone: not doing a required DPIA is a separate infringement, even if no breach or harm follows.

What automatically triggers a DPIA?

Article 35(3) of both the EU GDPR and the UK GDPR sets out three categories of processing that always require a DPIA. On top of that statutory minimum, each supervisory authority publishes its own Article 35(4) list of additional processing types that mandate a DPIA in its jurisdiction. You should screen new processing against both the Article 35(3) categories and the relevant national list before relying on a more general risk judgement.

The three Article 35(3) categories are common to Ireland and the UK and are the clearest starting point for screening.

• Systematic and extensive evaluation of personal aspects based on automated processing, including profiling, where decisions produce legal or similarly significant effects on the individual.
• Processing of special category data (Article 9) or criminal-offence data (Article 10) on a large scale.
• Systematic monitoring of a publicly accessible area on a large scale.
• Beyond these, the DPC's national list and the ICO's national list each add further mandatory-DPIA scenarios specific to Ireland and the UK respectively.

The DPC list (Ireland) and the ICO list (UK)

In Ireland, the DPC adopted its list of processing operations requiring a DPIA on 15 November 2018 under Article 35(4). Its ten entries cover scenarios such as using personal data on a large scale for a purpose other than that for which it was originally collected, profiling vulnerable people (including children) to target marketing or online services, using profiling, algorithmic means, or special category data to determine access to services or to produce legal or similarly significant effects, systematically monitoring or tracking individuals' location or behaviour, profiling individuals on a large scale, processing biometric or genetic data in combination with other risk factors, indirectly sourcing data where transparency obligations are not met, and combining or cross-referencing datasets for profiling. The DPC stresses that its list does not displace the general duty to risk-assess all processing.

In the UK, the ICO publishes its own list under Article 35(4) of ten further types of processing that require a DPIA, in addition to the three Article 35(3) categories. These cover innovative technology (such as AI and novel applications of existing technology), denial of a service, product, or benefit based on automated decision-making, large-scale profiling, biometric data, genetic data, combining or matching data from multiple sources, invisible or indirect collection where it is hard to provide a privacy notice, tracking of individuals' location or behaviour, use of children's or vulnerable individuals' data for marketing, profiling, or automated decisions, and processing that could risk physical harm. The ICO frames its list as a screening checklist to be read alongside the EDPB criteria below.

• Screen against the three Article 35(3) categories first, then the national list for your jurisdiction.
• Ireland: apply the DPC's adopted Article 35(4) list of ten operations and the DPC's DPIA guidance.
• UK: apply the ICO's list of ten processing types plus the ICO screening checklist.
• Document the screening decision itself, including the case where you conclude a DPIA is not required.

The EDPB nine criteria for high-risk processing

Where processing is not on a published list, you still need a method to decide whether it is high risk. The guidance WP248 rev.01, originally issued by the Article 29 Working Party and endorsed by the European Data Protection Board (EDPB), sets out nine criteria. The ICO's UK guidance maps closely to the same criteria, so this framework is a reliable common screen across both jurisdictions.

As a rule of thumb, WP248 indicates that processing meeting two or more of these criteria will usually require a DPIA, and that a single criterion can be enough in some cases. When in doubt, the safer and more defensible position is to carry out the DPIA and record the reasoning.

• Evaluation or scoring, including profiling and prediction.
• Automated decision-making with legal or similarly significant effect.
• Systematic monitoring of individuals.
• Sensitive data or data of a highly personal nature, including special category and criminal-offence data.
• Processing on a large scale.
• Matching or combining datasets.
• Data concerning vulnerable data subjects, such as children, employees, or patients.
• Innovative use of new technological or organisational solutions.
• Processing that prevents individuals from exercising a right or using a service or contract.

What must a DPIA contain? (Article 35(7))

Article 35(7) sets the minimum content of a DPIA, and it is identical in the EU GDPR (Ireland) and the UK GDPR. A document that does not address all four elements is unlikely to satisfy the DPC or the ICO, even if it is detailed in other respects. Both regulators also expect the DPIA to be a living record that is reviewed when the processing changes.

The four mandatory components are set out below. In practice, regulators also expect the DPIA to record whether the data protection officer was consulted, whether the views of data subjects were sought where appropriate, and how the conclusions were signed off.

• A systematic description of the processing operations and the purposes of the processing, including any legitimate interest pursued.
• An assessment of the necessity and proportionality of the processing in relation to its purposes.
• An assessment of the risks to the rights and freedoms of data subjects.
• The measures envisaged to address those risks, including safeguards, security measures, and mechanisms to ensure protection of personal data and demonstrate compliance.

Prior consultation under Article 36

Article 36 is the step that catches teams out. If, after applying your mitigations, the DPIA still shows that the processing would result in a high residual risk, you must consult the supervisory authority before you start processing. The trigger is residual risk, not the initial risk, so a DPIA that lands on high risk after mitigation cannot simply be filed; it must be escalated.

Because the GDPR and the UK GDPR are directly applicable, Article 36 governs prior consultation in both jurisdictions on the same timeline: the supervisory authority must provide written advice within up to eight weeks of the request, extendable by a further six weeks for complex processing, and that period can be paused while the authority gathers information it has asked for. The controller cannot begin the processing until consultation is complete, and the authority can advise, set conditions, or use its powers to prevent the processing. In Ireland the request goes to the DPC through its prior-consultation channel; in the UK it goes to the ICO. (Note: Section 84 of the Irish Data Protection Act 2018 sets out a separate DPIA and prior-consultation duty for law-enforcement processing under the Law Enforcement Directive, which is distinct from general Article 36 GDPR consultation.)

• Trigger: high residual risk remaining after your planned mitigations.
• Ireland: consult the DPC under Article 36 GDPR; written advice within up to eight weeks, extendable by six weeks for complex cases.
• UK: consult the ICO under Article 36 UK GDPR; written advice within up to eight weeks, extendable by six weeks for complex cases.
• You must not start the high-risk processing while consultation is pending.

DPC Ireland vs ICO UK: a side-by-side comparison

The substantive DPIA test is harmonised across Ireland and the UK, but the regulator, the national trigger list, the supporting statute, and the prior-consultation channel differ. Organisations that operate in both markets should run one DPIA methodology that is configured to apply the correct jurisdictional layer.

Common pitfalls in DPIA practice

Most DPIA failures are process failures rather than analytical ones. The assessment is started too late, treated as a one-off form, or detached from the records and assessments that prove its conclusions. The pitfalls below are the ones regulators most often surface in audits and investigations.

• Starting too late: the DPIA must run before processing begins and alongside design, not after launch as a paperwork exercise.
• Skipping the screening record: failing to document why a DPIA was not needed is itself a gap, because you cannot show the decision was made.
• Stopping at high residual risk: identifying high residual risk but not triggering Article 36 prior consultation is a serious and common error.
• Treating it as static: not revisiting the DPIA when the system, vendor, purpose, or data categories change leaves the record inaccurate.
• Missing the four Article 35(7) elements: omitting the necessity and proportionality assessment, in particular, is a frequent weakness.
• Disconnected evidence: a DPIA that does not link back to the record of processing activities, transfer assessments, and supplier reviews is hard to defend on audit.

2026 regulatory developments

In the UK, the Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and is being commenced in phases, with the bulk of its data protection provisions taking effect on 5 February 2026. It reforms several parts of the UK data protection framework, including the automated decision-making rules, but it largely retains the DPIA regime: the obligation to carry out a DPIA for processing likely to result in a high risk, and the underlying definition of high-risk processing, remain fundamentally unchanged. Organisations should continue to follow Article 35 and the ICO's DPIA guidance, while watching for ICO guidance updates that reflect the Act.

In Ireland and the wider EU, the DPC continues as lead supervisory authority for many large cross-border controllers, and DPIA expectations are tightening around AI-driven processing, profiling, and international transfers. Where a DPIA covers an AI system, the EU AI Act may impose a parallel fundamental rights impact assessment (FRIA) under Article 27 for certain deployers of high-risk AI, such as public bodies, private providers of public services, and deployers using AI for creditworthiness or life and health insurance decisions. Article 27 states that the FRIA complements, rather than replaces, the GDPR DPIA, so where the two overlap you can reuse evidence across them. Mapping which assessment applies, and reusing evidence across them, is becoming a core part of getting AI projects to launch.

How Acompli supports DPIA workflows

Acompli's DPIA module is designed to assist privacy teams, not to replace human judgement. It guides screening against the Article 35(3) categories, the relevant DPC or ICO national list, and the EDPB criteria; drafts and structures the Article 35(7) content; classifies and surfaces likely risks for review; and routes the assessment to the data protection officer and approvers. The software drafts, classifies, surfaces, and routes, but a human always reviews and approves the outcome, and final legal calls remain with your DPO or legal advisers.

Because the DPIA is connected to the wider record, approved assessments can feed your record of processing activities and link to related transfer assessments, so the evidence stays consistent across tools. Where the processing involves AI systems, Acompli is building toward an opt-in, early-access AI System Register to help map EU AI Act obligations against GDPR DPIAs; that capability is on the roadmap rather than a shipped guarantee. The goal is audit-readiness: a documented, current, and defensible DPIA that a regulator can be shown on request, with a human owner accountable for the decision.

Primary sources

• GDPR Article 35 - Data Protection Impact Assessment (EUR-Lex, Regulation (EU) 2016/679)
• DPC - Data Protection Impact Assessments guidance (Ireland)
• DPC - List of processing operations requiring a DPIA (Article 35(4), adopted 15 November 2018)
• ICO - Data Protection Impact Assessments (DPIAs) guidance (UK)
• EDPB / WP248 rev.01 - Guidelines on Data Protection Impact Assessment
• Data (Use and Access) Act 2025 (legislation.gov.uk)

DPIA requirements FAQ