A Data Protection Impact Assessment (DPIA) is a structured assessment of the privacy risks of a data-processing activity. Under GDPR you must run one when processing is likely to result in a high risk to individuals. AI that profiles people, makes automated decisions, or processes sensitive data at scale frequently meets that bar, so DPIAs are a routine part of deploying AI responsibly.
What is a DPIA?
A DPIA documents what a system does with personal data, the risks that creates for the people involved, and how those risks are reduced. It is both a compliance requirement and a practical design tool: done early, it surfaces problems while they are still cheap to fix.
When is a DPIA required for AI?
GDPR Article 35 requires a DPIA for processing likely to be high-risk, and names three triggers that AI often meets:
- Systematic profiling with legal or similarly significant effects on people.
- Large-scale processing of special category data (health, biometrics, and more).
- Large-scale systematic monitoring of a publicly accessible area.
If an AI system hits any of these, assume a DPIA is needed unless you can justify otherwise.
DPIA vs FRIA
The EU AI Act adds a second assessment for certain high-risk AI: the Fundamental Rights Impact Assessment (FRIA). A DPIA covers risks to personal data; a FRIA covers risks to fundamental rights more broadly. Where both apply, run them together so the FRIA builds on the DPIA rather than duplicating it. See our guide to the EU AI Act and GDPR.
How to run a DPIA for an AI system
- Describe the processing, the data involved, and the purpose.
- Assess whether the processing is necessary and proportionate.
- Identify and rate the risks to individuals.
- Define mitigations for each risk.
- Consult your DPO, and individuals where appropriate.
- Document the outcome and review it as the system changes.
Key takeaways
- A DPIA is required under GDPR for high-risk processing, which many AI systems meet.
- Profiling, large-scale special category data, and large-scale monitoring are key triggers.
- A DPIA and an EU AI Act FRIA can be run as one combined assessment.
- Run it early, involve the DPO, and review it as the system changes.
Frequently asked questions
What is a DPIA?
A Data Protection Impact Assessment (DPIA) is a structured assessment of the privacy risks of a data-processing activity and the steps taken to reduce them. Under GDPR it is required before processing that is likely to result in a high risk to individuals.
When is a DPIA required for AI?
GDPR Article 35 requires a DPIA for high-risk processing, including systematic profiling with legal or similarly significant effects, large-scale processing of special category data, and large-scale systematic monitoring. Many AI systems fall into one or more of these.
What is the difference between a DPIA and a FRIA?
A DPIA is a GDPR requirement focused on risks to personal data. A FRIA (Fundamental Rights Impact Assessment) is an EU AI Act requirement for certain deployers of high-risk AI, focused on risks to fundamental rights. Where both apply, the FRIA can build on the DPIA.
Who is responsible for a DPIA?
The data controller is responsible for carrying out the DPIA, and must seek the advice of the Data Protection Officer (DPO) where one is designated. The assessment should involve the teams that build and operate the system.
How do you run a DPIA for an AI system?
Describe the processing and its purpose, assess necessity and proportionality, identify risks to individuals, define mitigations, consult the DPO (and individuals where appropriate), then document the outcome and review it as the system changes.
A DPIA is only as good as your visibility into the data and models involved. DataSafeguard gives you that map — a live inventory of AI systems and the sensitive data they touch. Request a walkthrough or read what AI governance covers.