Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment is a structured risk analysis required under GDPR Article 35 before deploying processing likely to result in high risk to data subjects.

What is a DPIA?

A Data Protection Impact Assessment is a structured analysis required under GDPR Article 35 before an organisation deploys processing that is "likely to result in a high risk to the rights and freedoms of natural persons". The DPIA documents the processing operations, assesses necessity and proportionality, identifies risks, and lists mitigating measures. For AI deployments, DPIAs are nearly always required — automated decision-making with legal or significant effects is one of the explicit triggers.

When AI buyers need a DPIA

Automated decision-making in HR (resume screening, performance evaluation), credit and insurance decisions, healthcare diagnosis support, fraud detection, and behavioral profiling are clear DPIA triggers. Even where DPIA is not strictly mandatory, EU enterprise customers commonly request one as a condition of vendor evaluation. The DPIA is your responsibility as the controller, not the vendor's, but the vendor's transparency materials (model cards, audit reports, sub-processor lists) directly determine how much work goes into producing it.

What to ask vendors

To support your own DPIA, ask the AI vendor for: the categories of personal data processed, the legal basis under which they process, retention periods, sub-processor list with their roles and locations, the model's training-data composition (where you can get it), known limitations and bias evaluations, security measures from their DPA, and any prior DPIAs they have run on their own product. Mature vendors maintain a DPIA-support packet specifically for this use; less mature ones will require months of back-and-forth.