Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Data protection impact assessment (DPIA) process

dpia-processDomain: data-privacyType: process

Description

A Data Protection Impact Assessment is the GDPR Article 35 structured-risk-analysis exercise that runs before any processing operation likely to result in high risk to data subjects. The Article 35 list of triggers is non-exhaustive; the practical universe of trigger conditions comes from three places stacked together: the regulation's own enumeration (systematic and extensive evaluation of personal aspects, large-scale processing of special-category data, systematic monitoring of publicly accessible areas), the EDPB's adopted Article 29 Working Party guidance on what counts as high risk, and the per-member-state DPA blacklists (the CNIL, ICO, Garante, DPC, and others have each published their own list of processing types that automatically trigger a DPIA in that jurisdiction). An operator processing across multiple member states usually has to satisfy the strictest of these lists rather than the average. The shape of the assessment decomposes into four parts. A description of the processing operation comes first: what data, what purpose, what legal basis under Article 6 (and, for special categories, under Article 9), who the controller and processors are, and where the data flows. A necessity-and-proportionality analysis against that stated purpose comes second, and is the part DPAs scrutinize hardest because the test is whether less-intrusive means could have achieved the same purpose; vague statements of business benefit do not survive this section. A risk assessment that identifies threats to data-subject rights and freedoms (with severity and likelihood scored on the operator's chosen rubric, usually the ENISA five-by-five matrix or the CNIL's four-band variant) comes third. And a mitigation plan that brings the residual risk down to an acceptable level closes the document; mitigations include both technical measures (encryption, pseudonymization, access controls) and organizational measures (training, vendor due diligence, retention schedules). The escalation path is the load-bearing piece. Where mitigation cannot bring residual risk below high, GDPR Article 36 requires prior consultation with the supervisory authority before the processing begins; the supervisory authority then has eight weeks (extendable to fourteen) to respond. The DPIA is therefore the operative gate for whether the processing can launch at all, not just an internal hygiene exercise. A thorough DPIA that surfaces unmitigable high risk is doing its job rather than failing it, even though the operational pressure on the privacy team typically runs the other way. Most DPIA failures observed in enforcement come from boilerplate templates that produce uniformly low residual-risk scores regardless of the underlying processing. Regulators read those (correctly) as the team going through the motions, and the cases that follow tend to combine an Article 35 finding with separate findings on Article 5 (data minimization), Article 25 (privacy by design), and Article 32 (security of processing) because the underlying issues were the same and the DPIA was where they should have surfaced. The cheapest defensive posture is to vary the residual-risk output across processing types, to capture the reasoning behind each score, and to actually consult the supervisory authority when Article 36 is triggered rather than retroactively re-scoring to avoid the consultation.

Required by (8 regulations)

  • CA AADC

    Cal. Civ. Code §§1798.99.28-1798.99.40 (AB 2273, 2022)

  • DPDPA

    Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023

  • GDPR

    Article 35 — DPIA mandatory when processing is likely to result in high risk.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • LGPD

    Article 38 — Relatório de Impacto à Proteção de Dados Pessoais on ANPD request.

    Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

  • PDPL

    Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023

  • UAE Data Protection Law
  • UK AADC

    Standard 2 — DPIA explicitly required for services likely to be accessed by children.

    Data Protection Act 2018, s.123; Age Appropriate Design: A Code of Practice for Online Services (ICO, 2020)

  • Vietnam PDPD

Fulfilled by (3)

  • onetrust · full · medium effort · $$
  • transcend · partial · medium effort · $$
  • In-house build · high effort
    CNIL / ICO templates work for static risks; tracking changes over time is the bigger lift.

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • DPIA template
  • completed DPIAs
  • risk register
  • mitigation tracker

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn