DAT-013 Data Protection Impact Assessment
Description
A Data Protection Impact Assessment (DPIA) is conducted before initiating processing activities that are likely to result in high risk to individuals, including large-scale processing of personal data, use of new technologies, and systematic profiling. DPIAs document risk, mitigations, and residual risk. Results are acted upon before the processing commences.
Rationale
DPIAs are legally required under GDPR for high-risk processing. They are also good practice for any AI SaaS product because AI-driven processing frequently meets the high-risk threshold.
Framework Mappings (7)
| DSP-09 | Data Protection Impact Assessment | full |
| EU-AI-Art.26.8 | Deployer Obligations — GDPR Data Protection Impact Assessment Support | partial |
| GDPR-Art.35.1 | Data Protection Impact Assessment (DPIA) — Obligation to Conduct | full |
| GDPR-Art.35.7 | Data Protection Impact Assessment (DPIA) — Required Content | full |
| GDPR-Art.35.9 | Data Subject Consultation in DPIA | partial |
| RA-8 | Privacy Impact Assessments | full |
| MEASURE 2.10 | AI Privacy Risk Examination | partial |
Evidence (2)
Completed DPIA records for high-risk processing activities, documenting risk identification, mitigations applied, and residual risk acceptance.
Example: DPIA report(s) for the primary AI processing features (e.g. user profiling, automated decision-making) — each containing: necessity and proportionality assessment, identified risks to data subjects, technical and organisational mitigations, residual risk rating, DPO consultation record, and senior management sign-off
Test: Request DPIAs for the highest-risk processing activities (AI-driven processing, profiling, large-scale personal data processing). Verify: (1) DPIA was completed before the processing commenced, (2) document includes all GDPR Art.35.7 required elements (description, necessity/proportionality assessment, risks, mitigations), (3) DPO was consulted and outcome is recorded, (4) mitigations listed in the DPIA are verifiably implemented.
DPIA policy or procedure defining which processing activities trigger a mandatory DPIA, the methodology to use, and the escalation path for high residual risk.
Example: DPIA Policy (Confluence), approved by DPO, including: trigger criteria (mapping to GDPR Art.35 and ICO/EDPB lists), methodology steps, DPIA template, DPO consultation requirement, mandatory prior consultation criteria for the supervisory authority, and review cycle
Test: Request the DPIA policy and procedure. Verify: (1) defines trigger criteria that include: large-scale processing, systematic profiling, use of new technologies, (2) includes a mandatory DPIA checklist or screening tool, (3) specifies that DPO is consulted on all DPIAs, (4) references when prior consultation with the supervisory authority is required, (5) approved by DPO within 24 months.
Questions (2)
Does your organisation conduct Data Protection Impact Assessments (DPIAs) before initiating processing activities that are likely to result in high risk to individuals, including AI-driven processing, large-scale profiling, or use of new technologies?
DPIAs must be completed before high-risk processing commences. GDPR Article 35 mandates them for systematic profiling, large-scale processing of special category data, and use of new technologies. AI-driven SaaS features frequently meet this threshold.
What triggers a mandatory DPIA in your organisation?
Trigger criteria should align with the ICO or EDPB list of processing operations requiring a DPIA. AI processing, profiling and special category data must be included. Fixed-interval-only DPIAs without activity triggers indicate a control gap.