Step 2 of 10

When is DPIA Required?

Understanding when Data Protection Impact Assessments are legally mandatory.

GDPR Requirements (Article 35)

Coming Soon

GDPR support is coming soon. Currently, our platform fully supports DPDPA (India) compliance.

Under GDPR, a DPIA is mandatory when processing is "likely to result in a high risk to the rights and freedoms of natural persons." This includes:

Systematic and extensive profiling

Automated decision-making with legal or significant effects on individuals

Large-scale processing of special categories

Health data, biometric data, racial/ethnic origin, political opinions, etc.

Large-scale public monitoring

Systematic monitoring of publicly accessible areas (CCTV, etc.)

New technologies

Processing using innovative technologies where risks are not yet fully understood

Scoring and profiling

Evaluating personal aspects to make predictions about individuals

Cross-referencing datasets

Matching or combining datasets from different sources

Vulnerable data subjects

Processing data of children, employees, or others in imbalanced power relationships

Preventing service access

Processing that could deny individuals access to a service or contract

Two or More Criteria: The Article 29 Working Party guidance suggests that if your processing meets two or more of these criteria, you should conduct a DPIA.

DPDPA Requirements (India)

Available Now

Under India's Digital Personal Data Protection Act, DPIAs are required for:

Significant Data Fiduciaries (as notified by the government)
Processing that involves significant risk to data principals
Processing of children's personal data
Large-scale processing of sensitive personal data

When DPIA is NOT Required

A DPIA may not be necessary when:

Processing is similar to operations already covered by an existing DPIA
Processing has a legal basis and the law itself mandates the processing
Processing is on a supervisory authority's "whitelist" of low-risk operations
Processing does not involve high-risk elements as defined above

Common DPIA Triggers by Industry

Healthcare

  • Patient health records
  • Medical research
  • Telemedicine platforms

Financial Services

  • Credit scoring
  • Fraud detection systems
  • KYC processes

E-commerce

  • Behavioral targeting
  • Customer profiling
  • Loyalty programs

HR/Employment

  • Employee monitoring
  • Background checks
  • Performance analytics

DPIA Decision Flowchart

1Is this a new processing activity or significant change?
2Does it involve high-risk criteria (2 or more)?
Yes: DPIA is required
No: DPIA recommended but not mandatory
Previous
What is DPIA?
Next
Template Builder