Data Protection Impact Assessment (DPIA)

What Is a DPIA?

A Data Protection Impact Assessment (DPIA) — Evaluación de Impacto en la Protección de Datos (EIPD) in Spanish — is a risk assessment tool created by GDPR Article 35 and further developed in Spanish practice by the AEPD’s guidance. Its purpose is to identify and mitigate data protection risks before a processing operation begins, rather than retrospectively after harm has occurred.

The DPIA is not simply a box-ticking exercise or a documentary formality. A well-conducted DPIA should genuinely influence the design of the processing activity — potentially changing the data collected, the retention period, the access controls applied, or the legal basis relied upon.

When Is a DPIA Mandatory?

A DPIA is required when processing is “likely to result in a high risk to the rights and freedoms of natural persons.” GDPR Article 35(3) specifies three categories that always require a DPIA:

1. Systematic and extensive evaluation of personal aspects based on automated processing, including profiling, which produces decisions with significant legal or similarly significant effects
2. Large-scale processing of special categories of data (health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation) or criminal conviction data
3. Systematic monitoring of publicly accessible areas on a large scale (CCTV, smart city sensors)

The AEPD’s Mandatory DPIA List

The AEPD has published a list of processing types it considers to always require a DPIA, which includes (among others):

• Geolocation tracking of individuals
• Processing employee personal data to monitor productivity or behaviour
• Combining data from multiple sources to create individual profiles
• Processing health or genetic data for purposes other than direct healthcare
• AI systems that make automated decisions with significant effects
• Biometric identification or recognition systems
• Processing personal data of vulnerable persons (children, employees, patients) at scale
• International transfers of data to countries without adequate protection

Conversely, the AEPD has also published a list of processing types that generally do not require a DPIA (such as standard payroll processing, standard customer contact management) — helping organisations allocate their compliance effort proportionately.

The DPIA Methodology

A DPIA should address four core elements:

1. Description of the Processing

Describe the nature, scope, context, and purposes of the processing in detail. What data is collected? From whom? How? For what purpose? Who has access? Where is it stored? What are the retention periods?

2. Necessity and Proportionality Assessment

Evaluate whether the processing is necessary for the purpose stated. Is there a less intrusive way to achieve the same objective? Is the legal basis appropriate? Are data minimisation principles applied?

3. Risk Assessment

Identify risks to individuals’ rights and freedoms from the processing, considering both the likelihood and severity of harm. Common risk categories include:

• Inability to exercise rights (access, erasure, portability)
• Physical harm (violence, discrimination enabled by data disclosure)
• Financial harm (fraud, identity theft)
• Reputational harm
• Loss of confidentiality of sensitive data
• Social disadvantage (employment discrimination, insurance denial)

4. Risk Treatment Measures

For each identified risk, document the technical and organisational measures to mitigate it, assess the residual risk after mitigation, and determine whether the residual risk is acceptable.

Role of the DPO

Where a DPO has been designated, GDPR Article 35(2) requires that their advice must be sought when carrying out a DPIA. The DPO does not conduct the DPIA — that remains the controller’s responsibility — but they provide expertise and oversight of the process and must be consulted. The DPO’s advice and the controller’s response to it must both be documented.

Prior Consultation with the AEPD

If the DPIA concludes that high residual risks remain after mitigation measures, the controller must carry out prior consultation with the AEPD before beginning the processing (GDPR Article 36). The AEPD has up to 8 weeks (extendable by 6 weeks in complex cases) to provide written advice. If the AEPD considers the processing to violate GDPR, it will provide recommendations and may exercise its investigative and corrective powers.

DPIA and the AI Act

The EU AI Act introduces its own fundamental rights impact assessment requirements for high-risk AI systems used by public bodies, which partially overlap with DPIA obligations. Companies deploying AI systems that process personal data will typically need to conduct both a DPIA (under GDPR) and an AI Act conformity assessment, ideally coordinating the two exercises.

How BMC Can Help

We conduct DPIAs as standalone engagements or as part of broader GDPR compliance programmes. This includes scoping the processing activity, leading the risk assessment workshops, producing the documented DPIA report, advising on mitigation measures, and managing prior consultation processes with the AEPD where required.