GDPR DPIA Checklist — Article 35 Data Protection Impact Assessment

EDPB criteria triggering mandatory DPIA when two or more apply: systematic profiling, automated decision-making with legal/significant effects, large-scale processing of special category data, large-scale public monitoring, processing children's data at scale, innovative technology use, data combinations enabling re-identification, cross-border transfers of large datasets. Consult your supervisory authority's published blacklist for per se mandatory activities.

If a DPO has been designated, Article 35(2) requires mandatory consultation before conducting the DPIA. Document the DPO's advice and recommendations. The DPO's involvement does not transfer responsibility — the controller retains accountability. Record when the DPO was consulted and their written assessment.

Document: what data is collected, from whom, how, why, how long it's retained, who has access, what systems process it, and any automated logic applied. The description must be sufficient for the risk assessment to be meaningful. Generic descriptions ('HR data for employment purposes') are insufficient — be specific about every stage of the data lifecycle.

Document why this processing is necessary to achieve the stated purpose (could you achieve the same goal with less data or less invasive means?). Confirm a lawful basis under Article 6 exists. For special category data, confirm an Article 9(2) exception applies. Evaluate data minimisation, storage limitation, and purpose limitation compliance.

For each identified risk, document: the source of the risk, the harm that could result (physical, material, or non-material), the likelihood of occurrence, and the severity of the potential harm. EDPB recommends assessing risks from the data subject's perspective, not the organisation's. Consider risks from accidental loss, unauthorised access, unlawful processing, and inaccuracy.

For every risk, document the technical and organisational measures that will be implemented to mitigate it. Measures must be specific and actionable — 'we use security measures' is insufficient. Examples: encryption specifications (algorithm, key management), access controls (RBAC, MFA), pseudonymisation, data minimisation techniques, processor contractual requirements, and incident response procedures.

After documenting mitigation measures, re-evaluate the likelihood and severity of each risk. If residual risk remains 'high' after all feasible measures are applied, you must consult the supervisory authority before processing (Article 36). Document the residual risk assessment with the DPO's sign-off. Do not proceed with high-residual-risk processing without prior consultation.

If the DPIA concludes that residual risk is high despite mitigation, you must consult the competent supervisory authority before proceeding. Provide the DPIA and processing documentation. The supervisory authority has up to 8 weeks to respond (extendable by 6 weeks for complex cases). Do not begin processing until you receive written advice or the period expires without prohibition.

Article 35(9) requires controllers to seek views of data subjects or their representatives 'where appropriate, without prejudice to the protection of commercial or public interests.' Document your assessment of whether consultation is appropriate and, if not, the justification. For consumer-facing products processing sensitive data, consultation is generally appropriate.

Article 25 requires controllers to implement appropriate technical and organisational measures designed to implement data protection principles. The DPIA should confirm that privacy-by-design is built into the system architecture: pseudonymisation by default, data minimisation at point of collection, access controls enforced at system level, and retention limits enforced automatically.

If the processing involves processors (SaaS vendors, cloud providers, analytics tools), the DPIA must assess the risks their involvement creates. Review processor data processing agreements under Article 28, assess their subprocessor chains, verify they implement equivalent security measures, and document transfer mechanisms if data leaves the EEA.

If personal data will be transferred outside the EEA, document the transfer mechanism: adequacy decision (Article 45), Standard Contractual Clauses (Article 46(2)(c-d)), Binding Corporate Rules (Article 47), or derogations (Article 49). Post-Schrems II, SCCs must be accompanied by a Transfer Impact Assessment for transfers to third countries without adequacy.

A DPIA is not a one-time exercise. Article 35(11) requires ongoing review 'to assess if processing is performed in accordance with the DPIA at least when there is a change of the risk.' Document review triggers: system changes, new processing purposes, new categories of data, incidents, or supervisory authority guidance. Conduct formal reviews at least annually for high-risk processing.

Maintain the completed DPIA, all supporting documentation, consultation records, and review history for as long as the processing activity continues and for a period after cessation sufficient to defend against regulatory enquiries. EDPB recommends retention aligned with the relevant limitation period in your jurisdiction (typically 3-5 years post-processing).