What is a Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment (DPIA) is a structured process to identify and mitigate privacy risks of a processing operation before it begins. GDPR Art. 35 makes it mandatory for processing that "is likely to result in a high risk to the rights and freedoms of natural persons". When mandatory? (1) Systematic and extensive evaluation with automated decisions + legal effect (credit scoring, fraud detection). (2) Large-scale processing of special category (Art. 9) or criminal data (Art. 10). (3) Systematic monitoring of publicly accessible areas on a large scale (CCTV surveillance). The Dutch AP published a specific list of 17 processing types requiring a DPIA (AP-DPIA list 2019, updated 2024) — incl. workplace monitoring, biometric access, location tracking, and healthcare applications. What does it contain? Art. 35(7): (a) systematic description of the processing, (b) necessity + proportionality, (c) risk analysis for data subjects, (d) mitigating measures. Who does it? The controller, with advice from the DPO (Art. 39(1)(c)). External DPIA experts often hired for complex cases. Prior consultation: if the DPIA shows residual high risks, you MUST consult the DPA in advance (Art. 36) before starting. The DPA then has 8 weeks to respond — extendable to 14 weeks. Fine for no DPIA: Art. 83(4), up to €10m / 2% turnover. Recent AP fines 2023-2025 for missing DPIAs at large retail, insurance, and HR-monitoring platforms. Template: AP provides a free DPIA template (see sources).