DPIA Data Protection Impact Assessment: 2026 guide.

The DPIA (Data Protection Impact Assessment) is one of the key tools introduced by the GDPR to implement the principle of accountability. However, many organisations are unsure when it is mandatory, how to carry it out, and what content it must include. In this guide I explain step by step everything you need to know.

What is a DPIA and when is it mandatory?

A DPIA is a structured process for identifying, analysing and mitigating risks to the rights and freedoms of individuals when carrying out a personal data processing activity that may pose a high risk. It is regulated by Article 35 of the GDPR.

A DPIA is mandatory whenever a processing activity is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR identifies three scenarios in which the DPIA is automatically required: systematic and extensive evaluation of personal aspects based on automated processing (including profiling) that produces legal effects or significantly affects the person; large-scale processing of special categories of data (article 9 GDPR) or data relating to criminal convictions and offences; and systematic monitoring of publicly accessible areas on a large scale.

AEPD list of processing activities subject to DPIA

The AEPD has published a list of processing activities that require DPIA, including: systematic profiling that significantly affects people (credit scoring, talent selection, employee assessment); large-scale processing of biometric data for unique identification (massive facial recognition); large-scale processing of genetic or health data; the use of innovative or emerging technologies (AI, IoT, blockchain) with intensive personal data processing; large-scale automated solvency or credit-risk assessment; systematic monitoring of employees (productivity, location, communications); and large-scale processing of data of vulnerable groups (minors, dependent persons).

Step-by-step methodology to perform a DPIA

The DPIA methodology suggested by the AEPD includes several phases.

1. Description of the processing

Document the processing activity in detail: purpose and legal basis, types of personal data processed, categories of data subjects, recipients (including international data transfers), retention period, technical and organisational measures already in place, and the technologies used.

2. Necessity and proportionality assessment

Justify that the processing is necessary to achieve the legitimate purpose and proportionate (you cannot achieve the same result with a less privacy-invasive measure). Document compliance with the principles of the GDPR: lawfulness, purpose limitation, data minimisation, accuracy, storage limitation and integrity-confidentiality.

3. Risk identification

Identify potential risks to data subjects: unauthorised disclosure, alteration or unavailability of data, unforeseen secondary uses, decisions based on inaccurate data, discrimination, identity theft, financial loss, reputational damage, etc. Use the AEPD-recommended catalogue of threats as a starting reference.

4. Risk assessment

Assess each risk in terms of likelihood (very low, low, medium, high, very high) and impact (negligible, limited, significant, maximum). Combine both to obtain the risk level. Detail it in a risk matrix.

5. Risk treatment

For each identified risk, define mitigation measures: pseudonymisation, encryption, access control, data minimisation, transparency, exercising rights, retention limits, etc. Re-assess the residual risk after applying these measures.

6. Prior consultation with the AEPD

If after the treatment the residual risk remains high, you must consult the AEPD prior to commencing the processing (Article 36 GDPR). The AEPD has eight weeks to issue advice (extendable to fourteen for complex cases).

AEPD Gestiona, a free tool

The AEPD has developed Gestiona, a free tool that guides organisations through the DPIA process by means of a structured questionnaire. It generates a complete document with all GDPR-required content. It is especially useful for SMEs without in-house data protection expertise.

The role of the DPO in the DPIA

The Data Protection Officer (DPO) plays a key role. Their advice is mandatory under Article 35.2 of the GDPR. The DPO must verify the correct performance of the DPIA, advise on the measures to be applied, and supervise compliance with the resulting commitments. If your organisation does not have a designated DPO and you are required to carry out a DPIA, it is highly advisable to engage an external one for the project.

Common mistakes when performing a DPIA

The most common mistakes I encounter when reviewing DPIAs are: treating it as a bureaucratic compliance exercise (which generates an unrealistic document); not involving the affected business areas (resulting in incomplete information); not considering the data subjects' perspective (the DPIA should reflect the impact on the individual, not just on the organisation); not updating the DPIA when the processing changes (a DPIA is a living document); and not documenting risk treatment decisions (auditors will require this evidence).

---

Authorship: Ángel Ortega Castro · independent consultant on strategy, quality and digitalisation for SMEs.

Frequently asked questions

What is a DPIA and when is it mandatory?

A DPIA (Data Protection Impact Assessment) is a structured process to identify and mitigate risks to personal data when carrying out a high-risk processing activity. It is regulated by Article 35 of the GDPR and is mandatory whenever the processing is likely to result in a high risk to the rights and freedoms of individuals.

What are the GDPR principles?

Lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. The DPIA helps demonstrate compliance with these principles in high-risk processing activities.

What is the AEPD?

The AEPD is Spain's supervisory authority for personal data protection. It publishes the list of processing activities that require DPIA and provides free tools such as Gestiona to guide organisations through the process.

What sanctions does non-compliance entail?

GDPR fines can reach up to €20 million or 4% of the global annual turnover of the previous financial year, whichever is higher, for the most serious breaches.