How to conduct a Data Protection Impact Assessment (DPIA)

Privacy & Data
Written By Shayne Adler

A DPIA documents risks and mitigations for higher‑risk processing. Keep it short, concrete, and action‑oriented.

When this is required (typical triggers)

  • Profiling or automated decisions with real‑world effects.

  • Large‑scale use of sensitive categories or minors’ data.

  • New tech that changes risk.

Preparation checklist

  • Owner and reviewers (privacy & product).

  • Data map for the use case.

  • Draft mitigations list (minimize, encrypt, shorten retention, add human review).

Step‑by‑step process

  1. Describe the processing: purpose, data, people affected, locations.

  2. Assess necessity/proportionality: is there a less intrusive option?

  3. Identify risks: to people (not just your company).

  4. Mitigate: note controls and owners.

  5. Decide: proceed, adjust, or stop; set review date.

  6. Record: store the DPIA where auditors and customers expect to find it.

Documentation & approvals

Template + signatures (or ticket approvals) and an expiry/revisit date.

Mitigations & follow‑up

Track real‑world issues; update the DPIA when the use or data changes.

Templates & tools

Spreadsheet or doc is fine; ticketing works well for approvals.

Next steps

Publish your DPIA approach in your privacy program.

Shayne Adler
Previous

What are some key differences between GDPR and CCPA?
Next

What are the common challenges in AI compliance?