How to Conduct a DPIA

How to Conduct a DPIA

The Article 35 process step by step — from the threshold screen to sign-off, Article 36 consultation and review.

AAcompli ResearchUpdated June 20268 min read

To conduct a DPIA under GDPR Article 35, you screen whether one is required, describe the processing, assess its necessity and proportionality and the risks to individuals, identify measures to reduce those risks, record the DPO's advice, obtain sign-off, and — where a high residual risk remains — consult the supervisory authority before processing. The two steps teams most often skip are the first and the last: the threshold screen that decides whether a DPIA is needed at all, and the review that keeps it current. This guide walks through the full sequence.

Key takeaways

  • A DPIA is a process, not a form: screen → describe → assess necessity → assess risk → mitigate → DPO advice & sign-off → consult if needed → review.
  • The threshold screen (Article 35(3)/(4)) decides whether a DPIA is required — record it even when the answer is no.
  • Where a high residual risk remains after mitigation, Article 36 requires prior consultation with the DPC or ICO before processing.
  • Article 35(11) expects a review at least when the risk changes — the DPIA is a living record, not a one-off.

The DPIA process, step by step

  1. Screen whether a DPIA is required. Run a short, recorded threshold check against the three Article 35(3) cases and the regulator's Article 35(4) list, so borderline projects get a documented decision rather than a guess. (See when a DPIA is required.)
  2. Describe the processing. Set out a systematic description of the operations and purposes, the data and data-subject categories, recipients, transfers, retention and the systems involved.
  3. Assess necessity and proportionality. Record the lawful basis and whether the processing is necessary for, and proportionate to, the purposes.
  4. Assess the risks to individuals. Identify the risks to data subjects' rights and freedoms and score likelihood and severity before controls (the inherent risk — see inherent vs residual risk).
  5. Identify measures to address the risks. Set out the safeguards, security and other measures, and re-assess the residual risk that remains after them.
  6. Record DPO advice and sign off. Capture the data protection officer's advice (Article 35(2)) and route the assessment through a named approver before it is relied on.
  7. Consult the supervisory authority if needed. Where a high residual risk remains after mitigation, consult the DPC or ICO under Article 36 before starting the processing.
  8. Review on change. Re-open the DPIA when the processing or its risk changes — Article 35(11) expects a review at least when the risk changes.

For the fields each step records, see the DPIA template; for how a tool runs the sequence with evidence-grounded drafting and human sign-off, see DPIA software.

The two steps teams skip

Most DPIA failures are not in the middle of the process but at its ends. Skipping the threshold screenmeans a required DPIA is never started — and a missing DPIA is independently sanctionable under Article 83(4)(a), separate from any later breach. Skipping the reviewmeans the DPIA reflects the project as it was at launch, not as it runs today, so the record a regulator reads no longer matches reality. Recording the screening decision (even a “no”) and re-opening the DPIA on change are the cheap habits that keep the assessment defensible.

Common questions about conducting a DPIA

What are the steps of a DPIA?

A DPIA runs in a clear sequence: (1) screen whether a DPIA is required against the Article 35(3) cases and the regulator's Article 35(4) list; (2) describe the processing systematically; (3) assess its necessity and proportionality; (4) assess the risks to individuals' rights and freedoms; (5) identify the measures to address those risks and the residual risk that remains; (6) record the DPO's advice and obtain sign-off; (7) consult the supervisory authority under Article 36 if a high residual risk remains; and (8) review the DPIA when the processing or its risk changes. The first and last steps — screening and review — are the ones teams most often skip.

Who is responsible for carrying out a DPIA?

The controller is responsible for ensuring the DPIA is carried out, and must seek the advice of the data protection officer where one is designated (Article 35(2)). In practice the assessment is completed with input from the project, IT, security and legal owners who hold the facts, while the DPO advises and a named decision-maker signs off the residual-risk decision. The accountability sits with the controller; the DPO advises rather than owns the conclusion.

When do you need to consult the regulator about a DPIA?

Under GDPR Article 36, you must consult the supervisory authority — the DPC in Ireland or the ICO in the UK — before processing where the DPIA indicates the processing would result in a high risk in the absence of measures to mitigate it. In other words, if after applying your planned controls the residual risk to individuals is still high, you consult before you start. Most DPIAs do not reach this point, because the measures bring the residual risk down to an acceptable level; the prior-consultation step is for the cases that do not.

How long does a DPIA take, and how do you keep it current?

There is no fixed duration — a straightforward DPIA can be done in days, a complex one over weeks, depending on how readily the facts and stakeholders are available. The harder discipline is keeping it current: Article 35(11) expects the controller to review the DPIA at least when the risk changes, so the assessment should be re-opened when a new supplier, system, transfer or purpose changes the picture, rather than left until an annual cycle. Running the DPIA in a workflow that surfaces it for review when an upstream fact changes is what keeps it true.

Primary sources

  1. GDPR Articles 35 and 36 (EUR-Lex, Regulation (EU) 2016/679)
  2. DPC — Data Protection Impact Assessments
  3. ICO — How do we do a DPIA?

Related research

DPIA Template

The Article 35(7) fields a DPIA must contain, and the official templates.

Read article →

DPIA Software

When a DPIA is required, and how software runs the assessment as a defensible record.

Read article →

DPIA Requirements: Ireland & UK

Article 35 requirements under the EU and UK GDPR, with the DPC and ICO compared.

Read article →

See also: DPIA software · DPIA template · DPIA tools compared · DPIA requirements: Ireland & UK · DPIA module

See Acompli DPIA in action →