DPIA: Your First Line of Defence Against GDPR Sanctions

A Data Protection Impact Assessment (DPIA) is a mandatory risk analysis process required by Article 35 of the EU General Data Protection Regulation (GDPR, Regulation 2016/679) before commencing any processing operation that is likely to result in a high risk to the rights and freedoms of natural persons. The AEPD has published a list of processing activities that always require a DPIA in Spain, including systematic monitoring of public spaces, large-scale processing of special categories of data, and automated decision-making with significant legal effects on individuals. A DPIA must assess the necessity and proportionality of the processing, identify and evaluate risks, and define mitigation measures; where residual risk remains high, prior consultation with the AEPD under Article 36 GDPR is mandatory before processing begins.

The Data Protection Impact Assessment is the instrument the GDPR gives organisations to proactively manage the risks of their most complex processing activities. When conducted rigorously, it is not a bureaucratic formality — it is the strongest evidence that an organisation fulfilled its accountability obligation before processing personal data.

When the DPIA Obligation Applies

Article 35 of the GDPR mandates a DPIA before commencing any processing likely to result in a high risk to the rights and freedoms of natural persons. The nine criteria published by the European Data Protection Board cover profiling and automated decision-making, systematic monitoring, large-scale sensitive data processing, children’s data, biometric identification, innovative technologies, and cross-border transfers. In practice, any organisation using AI systems, operating large-scale CCTV, processing health data, or running behavioural loyalty platforms needs a valid DPIA. The starting point must always be a formal assessment of which activities trigger the obligation — not an assumption that they do not.

The Quality Standard That Matters

The value of a DPIA is determined by the depth of the risk analysis, not the volume of documentation. A DPIA that lists generic risks without scoring probability and impact, or that proposes standard mitigation measures without verifying their effectiveness in the specific processing context, will not withstand scrutiny from the AEPD. Our methodology follows the AEPD’s practical guide and documents the reasoning behind each risk assessment, producing a report that survives external review.

This quality standard is particularly critical for AI and automated decision-making systems. The GDPR’s restrictions on automated decisions with significant effects (Article 22) overlay the DPIA obligation, and the EU AI Act’s conformity assessment requirements for high-risk AI systems add a further layer. We conduct integrated assessments that address both frameworks simultaneously, avoiding duplication and ensuring complete regulatory coverage.

Privacy by Design Starts with the DPIA

For new digital products and internal systems, the DPIA should be conducted during the design phase — before irreversible technical decisions are made. Working with your product and engineering teams at the design stage, we identify privacy risks while they can still be addressed through architectural choices: choosing to pseudonymise rather than identify, to aggregate rather than individualise, to minimise rather than maximise data collection. This privacy by design approach is dramatically more efficient than retrofitting compliance after launch.

Where residual risk cannot be reduced to an acceptable level, we manage the prior consultation with the AEPD — a procedure many controllers are unaware of but which the GDPR makes a precondition for proceeding with the processing. A well-documented prior consultation, supported by a rigorous technical case file, creates a regulatory record that significantly reduces enforcement exposure after the processing begins.

The DPIA as Evidence in Enforcement Proceedings

The AEPD consistently refers to the presence or absence of a DPIA — and its quality — when determining sanctions in enforcement decisions. A controller that processed high-risk data without a DPIA, or with a superficial one that did not genuinely assess the risks, is in a structurally weaker position in any subsequent investigation. Conversely, a controller that conducted a rigorous DPIA, identified the relevant risks, implemented meaningful mitigations, and documented its accountability reasoning demonstrates exactly the conduct the GDPR accountability principle requires.

DPIAs for Specific Processing Categories

Certain processing categories recur frequently enough that we have developed specialist methodologies for them. Employee monitoring systems — including time and attendance tracking, productivity monitoring, and location tracking — require careful DPIA analysis because they combine large-scale systematic monitoring with employment law sensitivities and constitutional privacy protections. Health data processing in clinical or occupational health contexts combines Article 9 special category data with the special requirements of Spain’s LOPDGDD. In each of these areas, we apply a methodology calibrated to the specific processing activity and its risk profile, not a generic template.

Cross-Border and International Dimension

DPIAs for processing activities that involve international data transfers — personal data sent to cloud providers, CRM platforms, or analytics tools outside the EEA — must address both the standard DPIA risk assessment and the Transfer Impact Assessment (TIA) required for third-country transfers. These are formally distinct instruments, but they are most efficiently conducted as an integrated exercise. Where both the outsourced DPO function and the DPIA service are engaged, the DPO leads the assessment process with in-depth knowledge of the organisation’s processing activities — producing faster, more accurate results.

Maintaining the DPIA Register

A DPIA is not a one-time exercise — it is a document that must be updated when the processing changes materially. The introduction of a new AI model, a change in data retention periods, a new international transfer destination, or the extension of processing to a new category of data subjects all require a DPIA review. We design DPIA management systems that integrate with your data protection programme’s record of processing activities, ensuring that trigger events for a DPIA review are identified and acted upon as part of normal business operations rather than discovered retrospectively during an AEPD inspection.

The DPIA as Evidence in Enforcement Proceedings

The AEPD consistently refers to the presence or absence of a DPIA — and its quality — when determining sanctions in enforcement decisions. A controller that processed high-risk data without a DPIA, or with a superficial one that did not genuinely assess the risks, is in a structurally weaker position in any subsequent investigation. Conversely, a controller that conducted a rigorous DPIA, identified the relevant risks, implemented meaningful mitigations, and documented its accountability reasoning demonstrates exactly the conduct the GDPR accountability principle requires.

DPIAs for Specific Processing Categories

Certain processing categories recur frequently enough that we have developed specialist methodologies for them. Employee monitoring systems — including time and attendance tracking, productivity monitoring, and location tracking — require careful DPIA analysis because they combine large-scale systematic monitoring with employment law sensitivities and constitutional privacy protections. Health data processing in clinical or occupational health contexts combines Article 9 special category data with the special requirements of Spain’s LOPDGDD. In each of these areas, we apply a methodology calibrated to the specific processing activity and its risk profile, not a generic template.

Cross-Border and International Dimension

DPIAs for processing activities that involve international data transfers — personal data sent to cloud providers, CRM platforms, or analytics tools outside the EEA — must address both the standard DPIA risk assessment and the Transfer Impact Assessment (TIA) required for third-country transfers. These are formally distinct instruments, but they are most efficiently conducted as an integrated exercise. Where both the outsourced DPO function and the DPIA service are engaged, the DPO leads the assessment process with in-depth knowledge of the organisation’s processing activities — producing faster, more accurate results.

Maintaining the DPIA Register

A DPIA is not a one-time exercise — it is a document that must be updated when the processing changes materially. The introduction of a new AI model, a change in data retention periods, a new international transfer destination, or the extension of processing to a new category of data subjects all require a DPIA review. We design DPIA management systems that integrate with your data protection programme’s record of processing activities, ensuring that trigger events for a DPIA review are identified and acted upon as part of normal business operations rather than discovered retrospectively during an AEPD inspection.