DPIA: Your First Line of Defence Against GDPR Sanctions

A Data Protection Impact Assessment (DPIA) is a mandatory risk analysis process required by Article 35 of the EU General Data Protection Regulation (GDPR, Regulation 2016/679) before commencing any processing operation that is likely to result in a high risk to the rights and freedoms of natural persons. The AEPD has published a list of processing activities that always require a DPIA in Spain, including systematic monitoring of public spaces, large-scale processing of special categories of data, and automated decision-making with significant legal effects on individuals. A DPIA must assess the necessity and proportionality of the processing, identify and evaluate risks, and define mitigation measures; where residual risk remains high, prior consultation with the AEPD under Article 36 GDPR is mandatory before processing begins.

The Data Protection Impact Assessment is the instrument the GDPR gives organisations to proactively manage the risks of their most complex processing activities. When conducted rigorously, it is not a bureaucratic formality — it is the strongest evidence that an organisation fulfilled its accountability obligation before processing personal data.

When the DPIA Obligation Applies

Article 35 of the GDPR mandates a DPIA before commencing any processing likely to result in a high risk to the rights and freedoms of natural persons. The nine criteria published by the European Data Protection Board cover profiling and automated decision-making, systematic monitoring, large-scale sensitive data processing, children’s data, biometric identification, innovative technologies, and cross-border transfers. In practice, any organisation using AI systems, operating large-scale CCTV, processing health data, or running behavioural loyalty platforms needs a valid DPIA. The starting point must always be a formal assessment of which activities trigger the obligation — not an assumption that they do not.

The Quality Standard That Matters

The value of a DPIA is determined by the depth of the risk analysis, not the volume of documentation. A DPIA that lists generic risks without scoring probability and impact, or that proposes standard mitigation measures without verifying their effectiveness in the specific processing context, will not withstand scrutiny from the AEPD. Our methodology follows the AEPD’s practical guide and documents the reasoning behind each risk assessment, producing a report that survives external review.

This quality standard is particularly critical for AI and automated decision-making systems. The GDPR’s restrictions on automated decisions with significant effects (Article 22) overlay the DPIA obligation, and the EU AI Act’s conformity assessment requirements for high-risk AI systems add a further layer. We conduct integrated assessments that address both frameworks simultaneously, avoiding duplication and ensuring complete regulatory coverage.

Privacy by Design Starts with the DPIA

For new digital products and internal systems, the DPIA should be conducted during the design phase — before irreversible technical decisions are made. Working with your product and engineering teams at the design stage, we identify privacy risks while they can still be addressed through architectural choices: choosing to pseudonymise rather than identify, to aggregate rather than individualise, to minimise rather than maximise data collection. This privacy by design approach is dramatically more efficient than retrofitting compliance after launch.

Where residual risk cannot be reduced to an acceptable level, we manage the prior consultation with the AEPD — a procedure many controllers are unaware of but which the GDPR makes a precondition for proceeding with the processing. A well-documented prior consultation, supported by a rigorous technical case file, creates a regulatory record that significantly reduces enforcement exposure after the processing begins.

The DPIA as Evidence in Enforcement Proceedings

The AEPD consistently refers to the presence or absence of a DPIA — and its quality — when determining sanctions in enforcement decisions. A controller that processed high-risk data without a DPIA, or with a superficial one that did not genuinely assess the risks, is in a structurally weaker position in any subsequent investigation. Conversely, a controller that conducted a rigorous DPIA, identified the relevant risks, implemented meaningful mitigations, and documented its accountability reasoning demonstrates exactly the conduct the GDPR accountability principle requires.

DPIAs for Specific Processing Categories

Certain processing categories recur frequently enough that we have developed specialist methodologies for them. Employee monitoring systems — including time and attendance tracking, productivity monitoring, and location tracking — require careful DPIA analysis because they combine large-scale systematic monitoring with employment law sensitivities and constitutional privacy protections. Health data processing in clinical or occupational health contexts combines Article 9 special category data with the special requirements of Spain’s LOPDGDD. In each of these areas, we apply a methodology calibrated to the specific processing activity and its risk profile, not a generic template.

Cross-Border and International Dimension

DPIAs for processing activities that involve international data transfers — personal data sent to cloud providers, CRM platforms, or analytics tools outside the EEA — must address both the standard DPIA risk assessment and the Transfer Impact Assessment (TIA) required for third-country transfers. These are formally distinct instruments, but they are most efficiently conducted as an integrated exercise. Where both the outsourced DPO function and the DPIA service are engaged, the DPO leads the assessment process with in-depth knowledge of the organisation’s processing activities — producing faster, more accurate results.

Maintaining the DPIA Register

A DPIA is not a one-time exercise — it is a document that must be updated when the processing changes materially. The introduction of a new AI model, a change in data retention periods, a new international transfer destination, or the extension of processing to a new category of data subjects all require a DPIA review. We design DPIA management systems that integrate with your data protection programme’s record of processing activities, ensuring that trigger events for a DPIA review are identified and acted upon as part of normal business operations rather than discovered retrospectively during an AEPD inspection.

The DPIA as Evidence in Enforcement Proceedings

The AEPD consistently refers to the presence or absence of a DPIA — and its quality — when determining sanctions in enforcement decisions. A controller that processed high-risk data without a DPIA, or with a superficial one that did not genuinely assess the risks, is in a structurally weaker position in any subsequent investigation. Conversely, a controller that conducted a rigorous DPIA, identified the relevant risks, implemented meaningful mitigations, and documented its accountability reasoning demonstrates exactly the conduct the GDPR accountability principle requires.

DPIAs for Specific Processing Categories

Certain processing categories recur frequently enough that we have developed specialist methodologies for them. Employee monitoring systems — including time and attendance tracking, productivity monitoring, and location tracking — require careful DPIA analysis because they combine large-scale systematic monitoring with employment law sensitivities and constitutional privacy protections. Health data processing in clinical or occupational health contexts combines Article 9 special category data with the special requirements of Spain’s LOPDGDD. In each of these areas, we apply a methodology calibrated to the specific processing activity and its risk profile, not a generic template.

Cross-Border and International Dimension

DPIAs for processing activities that involve international data transfers — personal data sent to cloud providers, CRM platforms, or analytics tools outside the EEA — must address both the standard DPIA risk assessment and the Transfer Impact Assessment (TIA) required for third-country transfers. These are formally distinct instruments, but they are most efficiently conducted as an integrated exercise. Where both the outsourced DPO function and the DPIA service are engaged, the DPO leads the assessment process with in-depth knowledge of the organisation’s processing activities — producing faster, more accurate results.

Maintaining the DPIA Register

A DPIA is not a one-time exercise — it is a document that must be updated when the processing changes materially. The introduction of a new AI model, a change in data retention periods, a new international transfer destination, or the extension of processing to a new category of data subjects all require a DPIA review. We design DPIA management systems that integrate with your data protection programme’s record of processing activities, ensuring that trigger events for a DPIA review are identified and acted upon as part of normal business operations rather than discovered retrospectively during an AEPD inspection.

DPIA triggers: when is an assessment mandatory?

GDPR Article 35 specifies that a DPIA is mandatory when processing is “likely to result in a high risk to the rights and freedoms of natural persons.” The AEPD has supplemented this with a list of processing activities that always require a DPIA in the Spanish context. Key mandatory triggers include:

• Processing biometric data for identification purposes (including facial recognition and fingerprint systems)
• Systematic monitoring of employees (email monitoring, GPS tracking, keystroke logging)
• Processing health, genetic, or financial data on a large scale
• Innovative use of artificial intelligence or machine learning to make automated decisions about individuals
• Processing data of vulnerable individuals (children, patients, people with disabilities)
• Using profiling to assess personal aspects of individuals in ways that produce significant effects
• Cross-referencing or combining datasets in ways that individuals would not reasonably anticipate

The AEPD’s “lista de tipos de tratamiento que requieren EIPD” (published October 2019) should be the first reference for any new processing activity. Our DPIA service begins with a mandatory/voluntary determination to ensure resources are directed appropriately.

DPIA methodology: structured risk analysis

A technically sound DPIA follows the CNIL/EDPB four-step methodology: context description (what personal data, what processing, what purpose), necessity and proportionality assessment (is the processing necessary and proportionate to achieve the purpose?), risk identification and assessment (what risks to data subjects, how likely, how severe?), and risk treatment measures (what technical and organisational measures reduce risks to an acceptable level?). Each step requires specific expertise — legal for necessity/proportionality, technical for risk assessment, operational for measure implementation.

Our DPIA service delivers a complete four-step assessment document that meets the AEPD’s formal requirements and can be produced in evidence in the event of a supervisory authority investigation. Contact our data protection team to scope a DPIA for your planned processing activity.

DPIA in artificial intelligence deployments

The deployment of artificial intelligence and machine learning systems that process personal data is one of the clearest DPIA triggers under GDPR. AI systems that make automated decisions with significant effects on individuals — credit scoring, CV screening, insurance pricing, content moderation — always require a DPIA. But the obligation extends further: any AI system that processes personal data in ways that are novel, opaque, or unpredictable to the individuals affected requires an impact assessment, regardless of whether its outputs constitute “solely automated decisions” under Article 22 GDPR.

The AEPD’s 2020 Guide on Artificial Intelligence and Data Protection provides a specific DPIA framework for AI systems, addressing transparency obligations, the right to explanation under Articles 13-14 GDPR, and the bias and fairness assessment requirements that form part of a comprehensive impact analysis. Our AI-specific DPIA service incorporates this framework alongside the technical assessment of training data processing, model inference data flows, and model output storage.

The DPIA review process: consulting the DPO and the supervisory authority

When a DPIA identifies high residual risks that the controller cannot sufficiently mitigate, GDPR Article 36 requires prior consultation with the supervisory authority (the AEPD in Spain) before commencing the processing. The AEPD has published a procedure for prior consultation requests, including the information that must be provided and the eight-week consultation period (extendable to 14 weeks for complex cases). Our DPIA service includes assessment of whether prior consultation is required and, if so, management of the consultation process.

Contact our data protection team to scope a DPIA engagement for your planned processing or AI deployment.

Self-diagnostic: does your processing activity require a DPIA?

Apply these threshold questions to any new processing activity before launch:

• Does the processing involve special categories of data (health, biometric, genetic, racial/ethnic, religious, sexual orientation, political opinions)?
• Does the processing involve children’s data at scale?
• Does the processing involve systematic monitoring of individuals in public or workplace spaces?
• Does the processing use automated decision-making or AI to produce decisions with significant legal or similarly significant effects?
• Will the processing combine or cross-reference datasets about individuals in ways they would not reasonably anticipate?
• Is the processing activity novel — using technologies or methods not previously used by your organisation?

A “yes” to any of these questions indicates likely high risk and probable DPIA obligation. Our data protection team provides a rapid mandatory/voluntary DPIA determination as the first step of any engagement. Contact us before beginning the processing activity — a DPIA conducted after processing has commenced does not satisfy the Article 35 obligation.