Loading…
A Data Protection Impact Assessment (DPIA) under Article 35 GDPR is required whenever processing is likely to result in a high risk to the rights and freedoms of natural persons. The Article 29 Working Party (now EDPB) set out nine criteria — when two or more apply, do a DPIA.
A defensible DPIA has five stages: describe processing, assess necessity and proportionality, identify risks, identify mitigations, then formally sign off and schedule review. ICO methodology and EDPB Guidelines align tightly on this structure.
Done well, a DPIA is a product-shaping artefact — not a compliance ritual. It surfaces risk early and forces choices about data minimisation, retention, and access. The best DPIAs are completed before the first line of code.
Article 35(1) requires a DPIA where processing is "likely to result in a high risk." Article 35(3) lists three mandatory cases:
Most Supervisory Authorities publish national lists (Article 35(4)) of additional processing that always requires a DPIA. Check the lists of your lead SA and any SAs whose Member State residents you process.
Where it's unclear, run the nine-criteria test. Two or more = DPIA required.
The foundation of any DPIA is a precise description of what you actually do with data. Capture:
Pair this with a data-flow diagram. Free-text descriptions miss things data-flow diagrams catch.
For each identifiable risk, document:
Threat-types to cover routinely: unauthorised access (insider, external attacker), modification (integrity loss), loss (destruction, unavailability), discrimination, identity theft, financial loss, reputational damage, loss of confidentiality, loss of control over data, re-identification of pseudonymised data.
For each risk, identify the planned treatment:
Re-score the residual risk after planned controls. If residual risk remains high, you must consult the Supervisory Authority before processing begins (Article 36).
Article 36 prior consultation is required when, after applying mitigations, residual risk to rights and freedoms remains high.
SA receives:
SA response window: 8 weeks (extendable by 6 weeks for complex cases). Processing cannot begin during this period without authorisation.
Scenario: A logistics company plans to introduce facial-recognition based clock-in/clock-out for 4,500 warehouse workers across 12 sites in Germany and Spain.
Threshold test: Sensitive data (Article 9 biometric data for identification) + large scale + vulnerable subjects (employees) + innovative use = clear DPIA territory. German & Spanish SA lists also list biometric workplace identification as mandatory DPIA.
Description (Stage 1): Facial templates derived from front-facing camera at site entry; matched against enrolled template stored on a per-site appliance; matches logged with timestamp and worker ID; biometric templates retained for the period of employment + 30 days; matching logs retained 3 years.
Necessity (Stage 2): Lawful basis Article 6(1)(b) employment contract + 9(2)(b) employment law obligation (Germany) and explicit consent (Spain, with works council co-determination). Considered alternatives: PIN-card swipe (rejected — buddy-punching), badge with NFC (rejected — same), fingerprint (rejected — hygiene). Justified necessity of facial templates over alternatives.
Risks (Stage 3): (a) Centralisation of biometric templates creates honeypot for breach. (b) False non-match causing wage deduction. (c) Function creep — clock-in data used for performance evaluation. (d) Employee coercion: refusing biometric collection forced opt-out into worse conditions.
Treatment (Stage 4): (a) On-prem per-site appliance; templates encrypted with HSM-managed keys; no cloud copy. (b) Manual override workflow for non-match; payroll cannot deduct based solely on clock-in failure. (c) Contractual prohibition + technical separation between clock-in data and HR performance systems. (d) Genuine opt-out path (badge fallback) with no detriment, documented in works council agreement.
Sign-off: DPO advice obtained — recommended deletion of facial templates after 7 days post-employment instead of 30. Controller accepted. Works council co-determination obtained. Residual risk: medium-low. No SA consultation required.
A focused DPIA on a single processing activity: 2–4 weeks of part-time effort, calendar-time. A complex one (new product line, biometric, AI model): 6–12 weeks. Anything quoted as "2 hours" isn't a real DPIA.
Yes — for processing already in operation, Article 35(11) review applies. SAs accept retroactive DPIAs when the processing pre-dated GDPR or when a previously DPIA-exempt processing has become high-risk.
DPIA (Article 35 GDPR) focuses on risks to rights and freedoms in the data-processing context. FRIA (Article 27 EU AI Act) extends to broader fundamental rights for high-risk AI systems — discrimination, fairness, automated-decision impact. They overlap and can be combined into a single artefact for AI use cases.
Not required, but recommended by ICO. Publishing a redacted summary is a strong trust signal. Sensitive technical or commercial detail can be omitted; the substance — purpose, lawful basis, risks, mitigations — is publishable.
SA has 8 weeks to provide written advice, extendable by 6 weeks for complex cases. They can't veto outright but can issue Article 58 corrective measures including processing bans. Plan accordingly — Article 36 cases need a 3-month runway before launch.
RegulatoryBridge runs full DPIAs — threshold test, stakeholder consultation, Article 36 SA engagement where needed. Production-ready artefact, defensible at audit.