When is a DPIA legally required under GDPR?

Article 35 GDPR requires a DPIA whenever processing is likely to result in a high risk to individuals. Specific triggers include large-scale processing of sensitive data (health, biometric, criminal records), systematic monitoring of public areas (CCTV), automated profiling with legal or significant effects, large-scale employee monitoring, and combining datasets from different sources.

What happens if you skip a DPIA when one is required?

Failing to carry out a required DPIA is a direct violation of Article 35 GDPR. Supervisory authorities can impose fines of up to 10 million euros or 2 percent of your global annual turnover, whichever is higher. Beyond fines, you may be ordered to stop the processing entirely until a DPIA is completed.

How long does a DPIA take for a small business?

For a straightforward processing activity, an SMB can complete a DPIA in one to two weeks. Complex processing involving multiple systems, sensitive data categories, or cross-border transfers may take longer. The key is to start with a clear description of the processing and work through the risk assessment step by step.

Do you need a Data Protection Officer to complete a DPIA?

Not necessarily. Many SMBs are not required to appoint a DPO. However, if you do have a DPO (internal or external), Article 35(2) GDPR requires that you seek their advice during the DPIA process. If you do not have a DPO, the person responsible for data protection in your organisation should lead the assessment.

Can you use a DPIA template or do you need a custom assessment?

You can absolutely use a template as a starting point. The GDPR does not prescribe a specific format. What matters is that the assessment covers the four mandatory elements — description of processing, necessity assessment, risk identification, and risk mitigation measures. A template helps you structure the work, but the content must reflect your actual processing activities.

DPIA Guide for SMBs: When You Need One and How to Complete It

GDPR

4/28/2026

You roll out a new HR tool that tracks employee performance. You install cameras at the entrance of your office. Six months later, during an audit, someone asks: "Did you do a DPIA for that?"

And you wonder what a DPIA even is.

A Data Protection Impact Assessment (DPIA) is one of those GDPR requirements that most SMBs only discover when it is too late. During an audit. After a complaint. When a supervisory authority comes knocking.

For certain types of data processing, a DPIA is not optional. It is a legal obligation under Article 35 of the GDPR. Skip it, and you risk fines of up to 10 million euros.

Below, we explain when a DPIA is required, what it must contain, and how to complete one without a legal team.

What is a DPIA?

A DPIA is a structured risk assessment. You use it to identify and evaluate the privacy risks of a specific data processing activity before you start (or continue) that processing.

It is a privacy stress test. You describe what you are doing with personal data, assess what could go wrong for the people whose data you process, and document how you will reduce those risks.

The GDPR introduced DPIAs in Article 35 for processing activities that are likely to result in a high risk to individuals' rights and freedoms. The idea: identify problems before they happen, not after.

A DPIA is not the same as your processing register (RoPA). Your RoPA documents all processing activities across your organisation. A DPIA zooms in on one specific processing activity that poses elevated risk.

When is a DPIA required?

Article 35 GDPR does not give you an exhaustive list. It states that a DPIA is mandatory when processing is "likely to result in a high risk to the rights and freedoms of natural persons."

That sounds vague. But the GDPR, the European Data Protection Board, and national supervisory authorities have given concrete guidance. A DPIA is required when your processing involves any of the following:

1. Large-scale processing of sensitive data

Processing health data, biometric data, data about racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning criminal convictions. "Large-scale" depends on the number of people affected, the volume of data, the geographic scope, and the duration.

A medical practice with 5,000 patient records processes health data at scale. An HR department processing sick leave data for 500 employees may also qualify.

2. Systematic monitoring of publicly accessible areas

CCTV cameras in a shop, parking lot, or office entrance that is accessible to the public. The "systematic" part means it is ongoing and methodical, not a one-time recording.

3. Automated decision-making with legal or significant effects

Automated profiling that produces legal effects or significantly affects individuals. Examples: automated credit scoring, algorithmic recruitment screening, or insurance risk profiling that determines premiums without human review.

4. Large-scale employee monitoring

Tracking employee email, internet usage, GPS location, or productivity metrics. Even if you consider it necessary, monitoring employees at scale triggers a DPIA.

5. Combining datasets from different sources

Merging customer data from your CRM with website analytics, purchase history from another system, or third-party data. The combination creates new insights about individuals that they did not anticipate when they provided their data to each separate system.

6. Processing data about vulnerable groups

Data about children, elderly people, patients, employees (in the context of the employer-employee power imbalance), or asylum seekers. These groups are considered vulnerable because they may have less ability to consent freely or object to the processing.

7. Innovative technology or new applications

Using new technology to process personal data. Facial recognition, IoT devices that collect personal data, AI-based decision systems. When the technology is new, the risks are harder to predict, and that is the whole point of doing a DPIA upfront.

Rule of thumb: if your processing matches two or more of the criteria above, a DPIA is almost certainly required.

What must a DPIA contain?

Article 35(7) GDPR specifies four mandatory elements. Every DPIA must include:

1. A systematic description of the processing

What personal data do you process? From whom? Through which systems? Who has access? Where is the data stored? How long do you keep it? What is the legal basis?

Be specific. "We process employee data" is not enough. "We process employee name, email, job title, performance ratings, and sick leave records in BambooHR, accessible to HR managers and direct supervisors, retained for 2 years after end of employment, based on legitimate interest and legal obligation" is what you need.

2. An assessment of necessity and proportionality

Is this processing actually necessary for the purpose you stated? Could you achieve the same goal with less data, fewer recipients, or shorter retention? Is the legal basis solid?

This step forces you to justify the processing. It prevents scope creep: collecting more data than you need "just in case."

3. An assessment of risks to individuals

What could go wrong for the people whose data you process? Think about:

Confidentiality risks: unauthorised access to the data (data breach)
Integrity risks: data being altered without authorisation
Availability risks: data being lost or unavailable when needed
Rights and freedoms risks: discrimination, financial loss, reputational damage, loss of control over personal data

For each risk, assess the likelihood (how probable is it?) and the severity (how bad would it be for the individual?).

4. Measures to address the risks

For every identified risk, document what you will do to mitigate it. Examples:

Encryption at rest and in transit
Access controls and role-based permissions
Data minimisation (collecting only what is needed)
Pseudonymisation
Regular access reviews
Incident response procedures
Employee training
Contractual safeguards with processors

The measures must bring the residual risk down to an acceptable level. If they do not, you must consult your supervisory authority before proceeding (Article 36 GDPR).

How to complete a DPIA: step by step

You do not need a law firm. Follow these six steps.

Step 1: Identify the processing activity. Pick the specific processing activity that triggered the DPIA requirement. One DPIA per processing activity. Do not try to bundle your entire organisation into a single assessment.

Step 2: Describe the processing in detail. Map out the data flow. What data comes in, from where, through which systems, who accesses it, where it goes, and when it is deleted. Use your processing register as a starting point.

Step 3: Assess necessity and proportionality. Ask yourself: is this processing necessary? Could I do it with less data? Is the legal basis appropriate? Document your reasoning.

Step 4: Identify and evaluate risks. List every privacy risk you can think of. For each risk, rate the likelihood (low, medium, high) and the impact on the individual (low, medium, high). Be honest. Underestimating risks defeats the purpose.

Step 5: Define mitigation measures. For each risk, determine what controls will reduce it. Map the measure to the risk. After applying the measure, re-evaluate: is the residual risk acceptable?

Step 6: Document, review, and consult. Write it all down in a structured document. If you have a DPO, involve them (this is mandatory under Article 35(2)). If the residual risk remains high after mitigation, you must consult your supervisory authority before starting the processing.

Keep your DPIA as a living document. Review it when the processing changes, when new risks emerge, or at least once a year.

What happens if you skip a required DPIA?

Skipping a DPIA when one is required is a direct violation of Article 35 GDPR. The consequences:

Fines up to 10 million euros or 2% of your global annual turnover, whichever is higher (Article 83(4) GDPR)
Orders to stop processing until a DPIA is completed
Reputational damage if the violation becomes public
Increased liability if a data breach occurs in a processing activity that should have had a DPIA

Supervisory authorities have made it clear: not knowing that a DPIA was required is not a valid defence.

DPIA checklist for SMBs

Use this checklist to determine whether you need a DPIA and to verify completeness:

Do I need a DPIA?

[ ] Does the processing involve sensitive data at scale?
[ ] Does it involve systematic monitoring (CCTV, employee tracking)?
[ ] Does it involve automated decisions with significant effects?
[ ] Does it combine datasets from different sources?
[ ] Does it involve data about children, employees, or other vulnerable groups?
[ ] Does it use new or innovative technology?

If you checked two or more boxes, you almost certainly need a DPIA.

Is my DPIA complete?

[ ] Processing activity described in detail (data types, systems, recipients, retention)
[ ] Legal basis documented
[ ] Necessity and proportionality assessed
[ ] Risks identified with likelihood and severity ratings
[ ] Mitigation measures documented for each risk
[ ] Residual risk evaluated
[ ] DPO consulted (if applicable)
[ ] DPIA linked to relevant processing register entry

How ComplianceHive helps with DPIAs

A DPIA does not exist in isolation. It connects to your processing register, your vendor inventory, and your risk management.

In ComplianceHive, your processing activities, systems, and vendors are already documented. When you identify a high-risk processing activity, you can build your DPIA on the data you have already captured: the data categories, recipients, legal basis, and security measures from your processing register.

That means you are not starting from scratch. You are extending what you already have with a focused risk assessment.

You can track DPIA status, link mitigation measures to specific risks, and keep everything in one place alongside your processing register and data subject rights procedures.

Ready to get your DPIAs under control?

ComplianceHive gives you the structure to document processing activities, assess risks, and build DPIAs on what you already have.

Try it free for 30 days