How to Conduct a DPIA

Mandatory Elements

Article 35(7) of the GDPR establishes the elements that every DPIA must contain.

📋

1. Processing Description

Systematic description of processing, its purposes, data categories and subjects, recipients, retention periods.

⚡

2. Necessity Assessment

Analysis of necessity and proportionality of processing given its purposes. Is there a less intrusive alternative?

🔐

3. Risk Assessment

Systematic identification of risks to data subjects' rights and freedoms. Probability and severity of each risk.

📊

4. Mitigation Measures

Detailed description of technical and organisational measures to reduce identified risks (pseudonymisation, encryption, access control, etc.).

🔋

5. Stakeholder Engagement

Consultation with DPO, IT/security experts, business units, and data subjects' perspective where appropriate.

🔍

6. Responsibilities

Clear definition of responsibilities for implementing mitigation measures and ongoing monitoring.

7-Step Workflow

Follow a structured 7-step approach for a complete and documented DPIA.

1

Screening

2

Process Description

3

Risk Analysis

4

Define Measures

5

DPO/Expert Consultation

6

Prior Consultation (if needed)

7

Approval & Documentation

Detailed Description of Each Step

Step 1: Screening

Determine whether DPIA is mandatory by analysing Article 35(3) criteria and national guidelines. Describe the scope of processing, purposes, data categories and subjects. Gather basic information about technologies used and operational context.

Step 2: Complete Processing Description

Document in detail: (a) Data flow and systems description; (b) Actors involved (Controller, Processor, DPO, etc.); (c) Legal bases and legitimacy; (d) Consent mechanisms (if applicable); (e) Retention periods; (f) Existing security measures.

Step 3: Systematic Risk Analysis

Using structured methodology (EDPB WP248 or CNIL), identify potential risks: (a) Unauthorised access or data breach risk; (b) Risk of arbitrary exclusion of data subjects; (c) Risk of discriminatory profiling; (d) Risk to privacy. Evaluate probability and severity of each risk.

Step 4: Define Mitigation Measures

For each identified risk, define technical (encryption, pseudonymisation, access control) and organisational (training, policies, audits) measures. Prioritise measures according to acceptable residual risk level.

Step 5: Expert and DPO Consultation

Involve the Data Protection Officer (mandatory) and relevant specialists (IT, Security, Legal). Collect opinions and integrate them into the final DPIA. DPO must assess the adequacy of proposed measures.

Step 6: Prior Consultation (if Mandatory)

If DPIA indicates high residual risk, perform prior consultation with the Supervisory Authority under Article 36. Authority responds within 30 days.

Step 7: Approval, Documentation and Monitoring

Obtain formal approval from Controller and DPO. Document entire DPIA clearly and accessibly. Establish periodic review schedule (annually or when material change occurs). Monitor measure implementation.

Reference Methodologies

There are several internationally recognised methodologies for structuring DPIA implementation.

Methodology	Origin	Description
CNIL (France)	Commission Nationale de l'Informatique et des Libertés	French methodology with structured 3-dimensional risk matrix (threats, vulnerabilities, consequences). Widely used internationally.
ICO (UK)	Information Commissioner's Office	Pragmatic approach focused on demonstrating compliance. Emphasises clear documentation and consultation with data subjects.
ISO 29134	International Organization for Standardization	International standard defining DPIA structure, methodology and elements. Applicable in any regulatory context.
EDPB WP248	European Data Protection Board	Opinion detailing 9 risk assessment criteria and prior consultation procedures. Official European guidance.

DPIA Deliverables

A complete DPIA should produce the following documents and artefacts.

Executive Summary

Summary for management: processing description, identified risks, proposed measures, compliance conclusion.

Detailed Technical Analysis

Complete analysis documentation including risk matrix, vulnerability assessment and proposed security measures.

DPO Opinion

Independent opinion from Data Protection Officer on the adequacy and compliance of DPIA.

Implementation Plan

Implementation schedule for mitigation measures, responsibilities, required resources and review schedule.

Consultation Records

Documentation of internal consultations (experts) and, where applicable, prior consultation with Authority.

Processing Decision

Formal decision by Controller to authorise or condition processing implementation.

Type-Specific Considerations

Different types of DPIA may require methodological adaptations depending on specific context.

Visit the Common Types page for specific guides on:

Video Surveillance: Visual impact analysis, consent in public spaces, proportionality.
Biometrics: Misidentification risk assessment, secure storage, specific consent.
Artificial Intelligence: Risk of algorithmic discrimination, explainability, data bias.
Health: Enhanced confidentiality, limited access, sector-specific legislation compliance.
Geolocation: Privacy intrusion, continuous tracking, granular consent.
Digital Marketing: Behavioural profiling, cookie tracking, collection proportionality.
HR Monitoring: Balance between security and employee privacy, worker representation.

Review and Update

DPIA is not a static document. It should be reviewed periodically or when context changes.

When to Review DPIA:

Annually (best practice recommends minimum annual review)
When there are material changes in processing (purpose, data, systems)
When new risks are identified
When security incident or data subject complaint occurs
When legislative changes or authority recommendations are made
When technologies used are updated

Maintain a record of all DPIA versions and review dates.

DPO's Role

The Data Protection Officer plays a central role in DPIA implementation.

Under Article 39 of the GDPR, the DPO:

Provides guidance on DPIA obligations
Cooperates with the Supervisory Authority
Acts as contact point for data subjects
Reviews and approves DPIA (where designated)
Communicates inadequately mitigated risks

See complete guide on DPO role →

Next Steps

You now understand DPIA methodology. Explore specific types or request professional services.

📸

Common DPIA Types

Video surveillance, biometrics, AI, health, geolocation and others. Specific guides for each context.

See types →

📋

Professional Services

Complete DPIA conducting, reviewing, training and GDPR compliance consultancy.

See services →

Professional Assistance

Audiqcer offers professional DPIA conducting, reviewing and training services.

Request Diagnostic

Describe your processing context to receive personalised recommendations and effort estimate.