Back to blogCompliance

How to conduct a Data Protection Impact Assessment (DPIA)?

NRNicolas Renard·July 24, 2026· 7 min read

A Data Protection Impact Assessment, or DPIA, is a mandatory study for any personal data processing likely to result in a high risk to the rights and freedoms of data subjects: large scale profiling, video surveillance, health data processing, among others. The CNIL provides a free tool, PIA, along with a detailed methodology to structure this assessment, which weakens the excuse of lacking the tools to carry one out.

When is a DPIA mandatory?

A DPIA is required whenever a processing activity meets at least two of the following criteria: evaluation or scoring of individuals, automated decision making with legal effect, systematic monitoring, large scale processing of sensitive data, data matching, or processing concerning vulnerable individuals.

GDPR Diagnostic·See a diagnostic preview

The steps of a DPIA

  1. Describe the intended processing: purposes, data collected, recipients, retention period.
  2. Assess the necessity and proportionality of the processing in relation to its purpose.
  3. Identify the risks to data subjects: illegitimate access, unwanted alteration, loss of data.
  4. Assess the severity and likelihood of each identified risk.
  5. Define measures to reduce these risks to an acceptable level.
  6. Document the entire process, so it can be presented to the data protection authority in the event of an inspection.

Typical structure of a DPIA

SectionContent
ContextDescription of the processing, purposes, data controller
PrinciplesNecessity, proportionality, measures ensuring data subject rights
RisksSources of risk, potential impacts, existing measures
Action planAdditional measures to implement and their owners

Common mistakes

  • Conducting the DPIA after the processing has gone live, when it should precede its implementation.
  • Limiting it to a list of technical security measures, without actually assessing the risks to individuals.
  • Never updating the DPIA as the processing evolves.

A well conducted DPIA is not just a template to fill in: its value depends entirely on how seriously the risk assessment inside it is done, not on its formal compliance with the expected outline. A DPIA produced for form's sake, without genuinely questioning the processing, protects data subjects no better and offers no real safeguard in the event of an inspection. Building on a map of processing activities and risks already identified during a GDPR diagnostic, however, considerably speeds up its completion.

Ready to assess your organization?

Try for free