The DPIA must be performed before the processing, not after. If the system is already in production and the DPIA is identified as required, it must be executed retroactively and design decisions will likely need to be revisited.
What a DPIA is
A DPIA (Data Protection Impact Assessment) is a structured analysis that evaluates the risk a personal data processing operation poses to the rights and freedoms of the individuals concerned. It is regulated in Article 35 of the GDPR and is mandatory when the processing is likely to result in high risk: systematic and extensive profiling with automated decisions, large-scale processing of special categories of data, large-scale systematic monitoring of publicly accessible areas, and any other case the supervisory authority has published on its official list.
Why it matters
Skipping a DPIA when it is mandatory is one of the infractions supervisory authorities sanction most directly. Beyond compliance, a well-executed DPIA is the best way to detect privacy risks before the processing is in production, while design decisions can still be corrected without material cost. For processing operations subject to NIS2 or DORA that also handle personal data (the majority), the DPIA connects the privacy risk analysis with the security risk analysis, preventing disjointed documentation. The Spanish supervisory authority (AEPD) publishes a methodological guide and official templates.
Key points
If the DPIA concludes the residual risk remains high despite the planned measures, prior consultation with the supervisory authority is required before starting (Article 36 GDPR). Most organizations want to avoid this — and the way to avoid it is to pick adequate measures.
Three actors: data controller (decides), DPO (advises), and the affected individuals or their representatives (must be consulted where appropriate).
DPIA + security risk assessment can and should converge methodologically. Same threats, different focus: the DPIA looks at impact on the individual, the security risk assessment looks at impact on the organization.
Example: DPIA for facial-recognition CCTV deployment
A company plans to deploy cameras with facial recognition on its premises. Before purchasing, it runs a DPIA. It identifies: systematic processing of biometric data (special category under Art. 9), systematic monitoring of a publicly accessible area. Clearly high risk and DPIA is mandatory. The DPIA documents purpose (access control), legal basis (legitimate interest or consent depending on context), proportionality (are there less intrusive alternatives like card or PIN?), technical measures (minimum retention, encryption, segregation), and data subject rights (how access and erasure are exercised). If residual risk is still high despite these measures, it consults the supervisory authority. Without a DPIA, the project would have been deployed and, on a complaint, the sanction would be material.
Common mistakes
- Doing a DPIA only formally, without real depth. A checklist marked 'yes' on everything, without actual analysis, protects neither individuals nor the organization in an inspection.
- Confusing a DPIA with a security risk assessment. The risk assessment looks at impact on the organization (continuity, reputation, financial). The DPIA looks at impact on the individual (privacy, dignity, non-discrimination). They are complementary.
- Not updating the DPIA when the processing changes. Change of purpose, expansion of data processed, a new subprocessor in another country, a relevant technology change — any of those events requires a review.
- Skipping consultation of affected individuals or their representatives when 'appropriate'. GDPR does not always require it, but when it applies and is skipped, supervisory authorities consider it a methodological flaw.
Related terms
Frequently asked questions
When is a DPIA mandatory?
When the processing is likely to result in high risk for the rights and freedoms of individuals. GDPR sets three automatic cases (automated decision-making at scale, special data at scale, systematic monitoring at scale) and supervisory authorities publish lists of additional processing operations that require one.
How long does a DPIA take?
It depends on the processing. A simple DPIA can be completed in 2-4 weeks. A DPIA on complex systems with multiple subprocessors, international transfers and automated decision-making can require 2-3 months including consultation of data subjects.
Who signs the DPIA?
The data controller. The DPO does not sign it but advises and issues an opinion recorded in the document itself. If the controller decides to ignore the DPO's opinion, that decision and its justification must be documented — supervisory authorities review this in inspections.