Data Protection Impact Assessment (DPIA) under the EU General Data Protection Regulation


The Data Protection Impact Assessment (DPIA) is the central and mandatory instrument for risk assessment of data processing operations. The purpose of the DPIA is to identify data protection risks at an early stage and to take appropriate measures to reduce them.

What is a Data Protection Impact Assessment?

The DPIA is the central measure of the risk-based approach of the GDPR. Companies must check for each processing of personal data whether it has high risks for the rights and freedoms of the data subjects. For processes where this is the case, the actual DPIA is then carried out; a detailed description and assessment of the data protection risks. The main objective of the DPIA is to assess particular risks to the rights and freedoms of data subjects and to take appropriate protective measures.

When should a DPIA be performed?

The GDPR provides that a DIA must be carried out whenever data processing operations, in particular data processing operations using new technologies, pose a high risk to the rights and freedoms of individuals. Article 35 GDPR also contains regulatory examples that make the performance of a DPIA mandatory, such as the systematic and comprehensive assessment of personal aspects or the processing of special categories of data. In addition, supervisory authorities have published so-called positive lists containing processing operations for which a DPIA is mandatory.

How do you perform a DPIA?

To properly implement legal requirements to perform a DPIA, it is critical to identify and then thoroughly review data processing operations that pose potential risks. The GDPR sets out minimum requirements for the content of a DPIA. These include a systematic description of the processing operations, an assessment of their necessity and proportionality, and a risk assessment for the data subjects. In addition, companies must define measures to mitigate risks and ensure data protection and seek the advice of the data protection officer. If there is still a high risk after the DPIA, there must even be consultation with the data protection authority.


The DPIA is a legal obligation and an essential tool for assessing and mitigating data protection risks when introducing new processes or technologies in companies. On the one hand, this serves to protect the data subjects, but also to protect your company. Especially in times of digitalization and the introduction of new technologies, it is essential for companies to address the potential risks and the necessary protective measures.