← Glossary·Risk

DPIA (Data Protection Impact Assessment)

GDPR

Mandatory GDPR risk assessment for processing likely to result in a high risk to data subjects (Art. 35).

A Data Protection Impact Assessment is a structured assessment required under GDPR Art. 35 when processing — particularly new technology — is likely to result in a high risk to the rights and freedoms of natural persons. EDPB lists nine criteria; meeting any two triggers DPIA.

Why it matters
Deploying AI/ML on personal data, biometrics, large-scale monitoring, or vulnerable subjects (children, employees, patients) almost always triggers DPIA.

Related terms

Risk Assessment
Structured identification, analysis, and evaluation of risks to assets, processes, or data.
GDPR
EU regulation governing processing of personal data of EU/EEA data subjects; fines up to €20M or 4% of global turnover.
Lawful Basis (Legal Basis for Processing)
One of six GDPR Art. 6 grounds that must apply for personal data processing to be lawful.

Does your program actually cover DPIA (Data Protection Impact Assessment)?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary