When and How Often Should You Review or Update a DPIA?

The DPIA Is a Living Document

GDPR Article 35(11) states that the controller shall carry out a review to assess if processing is performed in accordance with the DPIA at least when there is a change in the risk. This means DPIAs are not one-time documents but ongoing compliance instruments that must be kept current.

Scheduled Reviews

Best practice is to establish a minimum review frequency:

• Annual review: The most common cadence. Review the entire DPIA annually to verify that processing still matches the description, risks are unchanged, and mitigations remain effective.
• Semi-annual review: Recommended for high-risk processing activities or rapidly evolving systems.
• Quarterly review: For the highest-risk activities, particularly those involving AI/ML, biometrics, or children's data.

Trigger Events for Ad-Hoc Reviews

Beyond scheduled reviews, certain events should trigger an immediate DPIA update:

• New data categories: Collecting a new type of personal data (e.g., adding health data to an existing system).
• New processing purposes: Using existing data for a new purpose not covered by the original DPIA.
• New technology: Introducing AI/ML, biometric processing, IoT devices, or other new technology to the processing activity.
• New third parties: Engaging new data processors, sub-processors, or sharing data with new recipients.
• Regulatory changes: New laws, DPA guidance, or court rulings affecting the processing.
• Security incidents: A data breach or near-miss related to the processing activity.
• Complaints or DSAR patterns: Repeated data subject complaints or DSARs suggesting privacy concerns with the processing.
• Significant scale changes: Processing now covers significantly more data subjects or data volume than originally assessed.

The Review Process

A DPIA review should follow a structured process:

1. Compare current state to DPIA: Does the processing description still match reality?
2. Update data flows: Have data flows changed? New integrations, new storage locations, new third parties?
3. Reassess risks: Have any risks changed in likelihood or severity? Have new risks emerged?
4. Verify mitigations: Are all mitigation measures still in place and effective?
5. Update residual risk: Has the overall residual risk level changed?
6. DPO review: Have the DPO review the updates and provide a new opinion if warranted.
7. Document and sign off: Record the review date, findings, changes, and approver.

Version Control

Maintain a clear version history for each DPIA:

• Version number and date
• Summary of changes from previous version
• Reason for update (scheduled review, trigger event, etc.)
• Author and reviewer/approver

Retain previous versions for the legally required retention period, as they demonstrate your ongoing compliance efforts over time.

Jerisaliant automates DPIA review scheduling with configurable cadences and trigger-based alerts, maintains full version history, and provides side-by-side comparison between DPIA versions.