Skip to content
Biscotti CMP
FeaturesPricing๐Ÿ” Cookie Checkโ™ฟ Accessibility๐Ÿ“ฆ DownloadsDocumentationBlog
Login
Homeโ€บBlog

When Do You Need a DPIA? A Guide to High-Risk Data Assessments

July 7, 2026 ยท 16 min read

Quick Answer: A Data Protection Impact Assessment (DPIA) is legally required under GDPR Article 35 whenever a processing activity is likely to result in a high risk to individuals' rights and freedoms. This applies to activities such as large-scale profiling, systematic monitoring of public spaces, and processing special categories of data. Failing to conduct one when required can expose your organization to significant regulatory penalties and reputational damage.

Key Takeaways

  • A DPIA is mandatory under GDPR Article 35 for processing activities that are "likely to result in a high risk" to individuals' rights and freedoms [3]
  • Three processing types always require a DPIA: systematic evaluation of individuals, large-scale processing of sensitive data, and systematic monitoring of publicly accessible areas [3]
  • National Data Protection Authorities publish lists of processing operations that require a DPIA, providing jurisdiction-specific guidance [3]
  • Skipping a required DPIA can result in fines of up to 10 million euros or 2% of global annual turnover under GDPR
  • The EDPB adopted a standardized DPIA template in April 2026 to improve consistency across EU member states [1]
  • AI systems and machine learning models that make automated decisions with significant effects on individuals almost always require a DPIA [2]
  • Small businesses are not automatically exempt; the trigger is the nature of the processing, not the size of the organization [5]
  • A DPIA is a living document that must be reviewed and updated whenever processing activities change materially [3]
  • If residual risks remain high after mitigation, organizations must consult their supervisory authority before proceeding [3]
  • A DPIA differs from a Privacy Impact Assessment (PIA) primarily in its legal basis and mandatory consultation obligations

Key Takeaways

What Is a DPIA and Why Do You Need One?

A Data Protection Impact Assessment is a structured process that helps organizations identify, assess, and mitigate risks to individuals arising from data processing activities. Under GDPR, it is not optional guidance, it is a legal obligation for high-risk processing [3].

The core purpose of a DPIA is accountability. It forces organizations to think systematically about what data they collect, why they collect it, who has access, and what could go wrong. The Irish Data Protection Commission describes it as a tool that demonstrates an organization has considered privacy risks before processing begins, rather than after a breach occurs [5].

A DPIA typically covers:

  • A description of the processing and its purposes
  • An assessment of necessity and proportionality
  • An evaluation of risks to data subjects
  • Measures planned to address those risks

The EDPB adopted a standardized DPIA template in April 2026 to help organizations structure this process consistently across the EU [1].

When Is a DPIA Required Under GDPR?

GDPR Article 35 requires a DPIA before any processing that is "likely to result in a high risk" to the rights and freedoms of natural persons [3]. Three specific scenarios always trigger this obligation:

  1. Systematic and extensive profiling with significant effects, including automated decision-making
  2. Large-scale processing of special categories of data (health, biometric, racial origin, etc.) or personal data relating to criminal convictions
  3. Systematic monitoring of publicly accessible areas on a large scale

Beyond these three, national supervisory authorities publish lists of processing operations that require a DPIA in their jurisdiction. Organizations operating across multiple EU member states should check each relevant national list.

Decision rule: If your processing meets two or more of the EDPB's nine risk criteria (new technology, large scale, sensitive data, systematic monitoring, matching or combining datasets, vulnerable data subjects, innovative use, denial of service risk, or automated decision-making), a DPIA is almost certainly required [4].

What Counts as High-Risk Data Processing?

High-risk processing is defined by the nature, scope, context, and purpose of the activity, not simply by the volume of data involved. The EDPB provides guidelines identifying specific characteristics that elevate processing to high-risk status [4].

Key indicators include:

Risk Indicator Example
Automated decision-making Credit scoring, insurance risk models
Sensitive data categories Health records, biometric authentication
Large-scale processing National loyalty program databases
Public area monitoring CCTV with facial recognition
Data matching or combining Cross-referencing social media with purchase history
Vulnerable data subjects Children, patients, employees
New or unproven technology Generative AI, emotion detection tools

A single indicator does not automatically mandate a DPIA, but two or more in combination almost always do. Processing that involves both sensitive data and automated decision-making, for instance, clears the threshold without question.

How Do I Know If My Business Needs a DPIA?

The answer depends on what your organization actually does with personal data, not on your industry or company size. Any controller, whether a startup, a hospital, or a marketing agency, must conduct a DPIA if their processing meets the high-risk threshold [5].

A practical screening process:

  1. Map all current data processing activities
  2. Apply the EDPB's nine risk criteria to each activity
  3. Check your national supervisory authority's published "must-do" list
  4. For any activity scoring two or more criteria, initiate a DPIA
  5. Document the screening decision even when a DPIA is not required

Common mistake: Organizations assume that because they are small, they are exempt. Size is irrelevant. A two-person startup running an AI-based hiring tool that makes automated decisions about job applicants must conduct a DPIA.

What Happens If You Don't Do a DPIA When Required?

Failing to conduct a required DPIA is itself a violation of GDPR, independent of whether any actual harm to data subjects occurs. Supervisory authorities can impose fines of up to 10 million euros or 2% of global annual turnover for this specific infringement [3].

Beyond financial penalties, the consequences include:

  • Mandatory suspension of the processing activity
  • Reputational damage from public enforcement decisions
  • Increased scrutiny and audit obligations from the supervisory authority
  • Personal liability for Data Protection Officers who failed to advise correctly

If residual risks remain high after mitigation measures are applied, organizations must consult their supervisory authority before the processing begins. Proceeding without that consultation is an additional violation [3].

DPIA vs. Privacy Impact Assessment: What Is the Difference?

A Privacy Impact Assessment (PIA) is a broader, voluntary best-practice framework that predates GDPR. A DPIA is its legally mandated successor under EU data protection law. The two terms are sometimes used interchangeably, but they carry different obligations.

Feature PIA DPIA
Legal basis Best practice GDPR Article 35
Mandatory No Yes, when high risk
Supervisory authority consultation Not required Required if residual risk is high
Standardized template Varies EDPB template (2026) [1]
Documentation obligation Recommended Legally required

Organizations that conducted PIAs before GDPR came into force should review whether those assessments meet the more rigorous DPIA standard.

DPIA Requirements for AI and Machine Learning

AI systems that make or significantly influence decisions about individuals almost always require a DPIA. Automated decision-making with legal or similarly significant effects is one of the three core triggers under GDPR Article 35 [4].

The EU AI Act, which became fully effective August 2, 2026, introduces an additional layer: the Fundamental Rights Impact Assessment (FRIA) for high-risk AI systems. Organizations are strongly encouraged to integrate their DPIA and FRIA processes to avoid duplicating effort and to ensure comprehensive coverage of both data protection and fundamental rights risks [2].

Specific AI use cases that require a DPIA include:

  • Recruitment algorithms that filter or rank candidates
  • Credit and insurance scoring models
  • Predictive policing or fraud detection systems
  • Health diagnosis or treatment recommendation tools
  • Behavioral advertising platforms using inferred profiles

Edge case: Even AI systems that do not make final decisions but significantly influence human decision-makers can trigger the DPIA requirement if the underlying data processing is large-scale or involves sensitive categories.

Do Small Businesses Need to Do DPIAs?

Small and medium-sized enterprises are not exempt from DPIA obligations. The legal trigger is the nature and risk level of the processing activity, not the size or revenue of the organization [5].

That said, many small businesses engage in low-risk processing, managing a customer email list, for example, that does not require a DPIA. The obligation only arises when the processing itself crosses the high-risk threshold.

Choose a DPIA if your small business:

  • Uses automated profiling to personalize content or pricing
  • Processes health, financial, or biometric data
  • Operates a platform where children are likely users
  • Deploys tracking technologies that build behavioral profiles at scale

A consent management platform such as Biscotti CMP can help small businesses manage consent records and demonstrate accountability, which supports the broader compliance framework within which a DPIA sits.

What Should Be Included in a DPIA Report?

A complete DPIA report must contain several mandatory elements under GDPR Article 35(7) [3]:

  1. Systematic description of the processing operations and their purposes, including the legitimate interest pursued if applicable
  2. Assessment of necessity and proportionality relative to the stated purpose
  3. Assessment of risks to the rights and freedoms of data subjects
  4. Measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure data protection

The EDPB's 2026 standardized template structures these elements into a consistent format that supervisory authorities across the EU recognize [1]. Using it reduces the risk of a DPIA being deemed incomplete during an audit.

Additional best-practice elements include consultation records with the Data Protection Officer, stakeholder input from data subjects or their representatives where feasible, and a residual risk sign-off.

How Much Does a DPIA Cost, and Can You Do It Yourself?

The cost of a DPIA varies widely depending on complexity. A straightforward internal assessment for a well-documented processing activity can be completed in-house in a matter of days. Complex assessments involving AI systems, cross-border data flows, or multiple data controllers can take weeks and may warrant external legal or technical expertise.

Rough cost ranges (estimates based on market norms):

  • Internal DPIA for low-complexity processing: minimal cost, primarily staff time (8-20 hours)
  • Consultant-led DPIA for moderate complexity: typically 2,000-8,000 euros
  • Full legal and technical review for high-complexity AI systems: 10,000 euros or more

Organizations with an appointed DPO should involve them from the outset. The DPO's role includes advising on whether a DPIA is required and reviewing the completed assessment [3]. For organizations without in-house expertise, engaging a specialist consultant is advisable for any processing that involves new technology or sensitive data categories.

How Often Should You Update or Redo a DPIA?

A DPIA is not a one-time exercise. It is a living document that must be reviewed whenever there is a material change to the processing activity it covers [3].

Triggers for a review or full reassessment include:

  • Introducing new technology or a new vendor in the processing chain
  • Expanding the scope or volume of data collected
  • Changing the purpose of the processing
  • A data breach or near-miss that reveals previously unidentified risks
  • New guidance from a supervisory authority that affects the risk assessment
  • Significant changes in the legal or regulatory environment

As a baseline, organizations should schedule a periodic review of all DPIAs at least every two to three years, even in the absence of specific changes. The EDPB treats DPIAs as accountability tools that must reflect current reality, not historical snapshots [3].


DPIA Decision Checker


Frequently Asked Questions

Does a DPIA need to be completed before processing starts? Yes. GDPR Article 35 requires the DPIA to be conducted prior to the processing activity, not after it has begun. Starting high-risk processing without a completed DPIA is itself a violation [3].

Who is responsible for conducting a DPIA? The data controller is legally responsible. Where a Data Protection Officer has been appointed, they must be consulted during the process. Processors can assist but the accountability sits with the controller [3].

Does a DPIA need to be made public? No. There is no legal requirement to publish a DPIA. However, organizations must make it available to their supervisory authority on request, and the general conclusions may be shared with data subjects as part of transparency obligations.

What is prior consultation and when does it apply? If a DPIA concludes that residual risks remain high after all mitigation measures have been applied, the controller must consult their supervisory authority before proceeding. The authority then has up to eight weeks to respond [3].

Can one DPIA cover multiple similar processing activities? Yes. The EDPB confirms that a single DPIA can address a set of similar processing operations that present comparable high risks. This is common for organizations running multiple campaigns or products with the same underlying data architecture [4].

Does GDPR apply if my company is outside the EU? GDPR applies to any organization that processes the personal data of EU residents, regardless of where the organization is based. Non-EU companies targeting EU users must comply with DPIA obligations just as EU-based companies do.

Is a DPIA required for existing processing activities? A DPIA is primarily required for new processing. However, if an existing activity changes materially or if it was never assessed and carries high risk, a retrospective DPIA is strongly advisable and may be required by a supervisory authority [3].

What role does a consent management platform play in DPIA compliance? A consent management platform like Biscotti CMP helps organizations collect, record, and manage user consent in a manner that supports the accountability requirements underpinning DPIA compliance, particularly for cookie-based tracking and behavioral profiling activities.


Conclusion

Understanding when do you need a DPIA, and conducting a guide to high-risk data assessments with genuine rigor, is one of the clearest markers of a mature data protection program. The obligation is not bureaucratic box-ticking: it is a structured method for identifying harm before it reaches data subjects.

Actionable next steps for 2026:

  1. Map all processing activities and screen each against the EDPB's nine risk criteria [4]
  2. Download and use the EDPB's standardized DPIA template, adopted in April 2026 [1]
  3. Check your national supervisory authority's published list of mandatory DPIA activities
  4. For any AI or machine learning deployment, integrate your DPIA with the EU AI Act's FRIA process [2]
  5. Set calendar reminders to review existing DPIAs at least every two years or after any material change
  6. If residual risks remain high after mitigation, consult your supervisory authority before proceeding [3]
  7. Ensure your consent management infrastructure, including tools like Biscotti CMP, supports the accountability records your DPIA program depends on

Organizations that treat DPIAs as living accountability tools, rather than one-time compliance tasks, will be better positioned to adapt as regulatory expectations continue to evolve.


References

[1] Enhancing Compliance And Consistency Edpb Adopts Dpia Template Et - https://www.edpb.europa.eu/news/enhancing-compliance-and-consistency-edpb-adopts-dpia-template_et?utm_source=openai

[2] Integrating Dpia And Fria Under The Eu Ai Act - https://digital.nemko.com/insights/integrating-dpia-and-fria-under-the-eu-ai-act?utm_source=openai

[3] When Data Protection Impact Assessment Dpia Required En - https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/obligations/when-data-protection-impact-assessment-dpia-required_en?utm_source=openai

[4] Data Protection Impact Assessment En - https://www.edpb.europa.eu/topics/accountability-and-compliance-tools/data-protection-impact-assessment_en?utm_source=openai

[5] Guide Data Protection Impact Assessments - https://www.dataprotection.ie/en/dpc-guidance/guide-data-protection-impact-assessments?utm_source=openai

[6] Data Protection Impact Assessments - https://cy.ico.org.uk/for-organisations/law-enforcement/guide-to-le-processing/accountability-and-governance/data-protection-impact-assessments/?utm_source=openai

โ† Back to blog
Biscotti CMP

Consent Management and Legal Text Generator by Campcruisers GmbH (Falkensee). Can support your website compliance.

Product

๐Ÿข About UsFeaturesPricingDocumentation๐Ÿ” Cookie Check๐Ÿ“ฆ Downloads๐Ÿ“š Privacy & Consent Knowledge Base๐Ÿ“ Blog๐Ÿ“– Cookie Consent & Privacy Glossary๐ŸŒ Jurisdictionsโ™ฟ WCAG 2.2 Accessible Consent Banner

Legal

ImprintPrivacy PolicyTerms of ServiceRight of WithdrawalDPACookie Policy

Contact

Contact
ยฉ 2026 Biscotti โ€“ A service of Campcruisers GmbH๐Ÿช Change cookie settings