DPIA: Your First Line of Defence Against GDPR Sanctions

A Data Protection Impact Assessment (DPIA) is a mandatory risk analysis process required by Article 35 of the EU General Data Protection Regulation (GDPR, Regulation 2016/679) before commencing any processing operation that is likely to result in a high risk to the rights and freedoms of natural persons. The AEPD has published a list of processing activities that always require a DPIA in Spain, including systematic monitoring of public spaces, large-scale processing of special categories of data, and automated decision-making with significant legal effects on individuals. A DPIA must assess the necessity and proportionality of the processing, identify and evaluate risks, and define mitigation measures; where residual risk remains high, prior consultation with the AEPD under Article 36 GDPR is mandatory before processing begins.

The Data Protection Impact Assessment is the instrument the GDPR gives organisations to proactively manage the risks of their most complex processing activities. When conducted rigorously, it is not a bureaucratic formality — it is the strongest evidence that an organisation fulfilled its accountability obligation before processing personal data.

When the DPIA Obligation Applies

Article 35 of the GDPR mandates a DPIA before commencing any processing likely to result in a high risk to the rights and freedoms of natural persons. The nine criteria published by the European Data Protection Board cover profiling and automated decision-making, systematic monitoring, large-scale sensitive data processing, children’s data, biometric identification, innovative technologies, and cross-border transfers. In practice, any organisation using AI systems, operating large-scale CCTV, processing health data, or running behavioural loyalty platforms needs a valid DPIA. The starting point must always be a formal assessment of which activities trigger the obligation — not an assumption that they do not.

The Quality Standard That Matters

The value of a DPIA is determined by the depth of the risk analysis, not the volume of documentation. A DPIA that lists generic risks without scoring probability and impact, or that proposes standard mitigation measures without verifying their effectiveness in the specific processing context, will not withstand scrutiny from the AEPD. Our methodology follows the AEPD’s practical guide and documents the reasoning behind each risk assessment, producing a report that survives external review.

This quality standard is particularly critical for AI and automated decision-making systems. The GDPR’s restrictions on automated decisions with significant effects (Article 22) overlay the DPIA obligation, and the EU AI Act’s conformity assessment requirements for high-risk AI systems add a further layer. We conduct integrated assessments that address both frameworks simultaneously, avoiding duplication and ensuring complete regulatory coverage.

Privacy by Design Starts with the DPIA

For new digital products and internal systems, the DPIA should be conducted during the design phase — before irreversible technical decisions are made. Working with your product and engineering teams at the design stage, we identify privacy risks while they can still be addressed through architectural choices: choosing to pseudonymise rather than identify, to aggregate rather than individualise, to minimise rather than maximise data collection. This privacy by design approach is dramatically more efficient than retrofitting compliance after launch.

Where residual risk cannot be reduced to an acceptable level, we manage the prior consultation with the AEPD — a procedure many controllers are unaware of but which the GDPR makes a precondition for proceeding with the processing. A well-documented prior consultation, supported by a rigorous technical case file, creates a regulatory record that significantly reduces enforcement exposure after the processing begins.