Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is required under Art. 35 GDPR when data processing is likely to result in a high risk to the rights and freedoms of natural persons. This is frequently the case with AI systems.

When is a DPIA required?

Automated individual decision-making with legal effects (Art. 22 GDPR)
Large-scale processing of special categories of personal data
Systematic monitoring of publicly accessible areas
Profiling with significant effects on data subjects
New technologies (AI systems qualify as new technology)

DPIA Process in 6 Steps

1. Describe the processing — What data, what purpose, what legal basis, what recipients?
2. Assess necessity and proportionality — Is the processing necessary? Are there less intrusive alternatives?
3. Evaluate risks to data subjects — Likelihood and severity of potential harm.
4. Define mitigation measures — Technical and organizational measures, pseudonymization, access controls.
5. Create documentation — Record findings, measures, and residual risks.
6. Review regularly — A DPIA is not a one-time document — update when the system changes.

DPIA and EU AI Act

The EU AI Act supplements the GDPR DPIA with AI-specific requirements:

High-risk AI systems require a DPIA plus an AI-specific risk assessment
Art. 27 EU AI Act requires a fundamental rights impact assessment for certain deployers
The DPIA can be combined with the AI risk assessment

Self-Hosted AI Advantage

With self-hosted AI (e.g., Ollama locally), the DPIA is significantly simpler: no third-country transfers, no data processing agreements needed, full control over data. Residual risk is lower than with cloud AI.

Sources

GDPR Art. 35 — Data Protection Impact Assessment (EUR-Lex)

When is a DPIA required?

DPIA Process in 6 Steps

DPIA and EU AI Act

Self-Hosted AI Advantage

Further Reading

Sources

Next step: operationalize compliance