A Data Protection Impact Assessment — in German a Datenschutz-Folgenabschätzung (DSFA) — is a structured risk assessment the GDPR requires before certain kinds of processing. Where processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must, before starting, assess that risk and the measures to address it. The DPIA is therefore a forward-looking exercise: it is done in advance, precisely so that risks are caught and mitigated before any data is processed.
Why DPIAs exist
The DPIA embodies the GDPR’s accountability and privacy-by-design principles. Rather than reacting to harm after the fact, it forces an organisation to think systematically about what could go wrong before deploying a high-risk processing activity, and to build in safeguards. It also produces documentation — evidence that the organisation considered the risks responsibly, which is valuable both for internal decision-making and for demonstrating compliance to a supervisory authority.
When a DPIA is required
A DPIA is mandatory where processing is likely to result in a high risk to individuals. The GDPR gives examples: systematic and extensive evaluation based on automated processing, including profiling, on which decisions are based; large-scale processing of special categories of data; and systematic monitoring of publicly accessible areas on a large scale. Supervisory authorities also publish lists of operations requiring a DPIA. When in doubt, conducting one is the prudent course.
The criteria for high risk
To judge whether processing is high-risk, organisations consider factors such as evaluation or scoring, automated decision-making with legal or similar effects, systematic monitoring, sensitive data, large scale, the matching or combining of datasets, data concerning vulnerable individuals, innovative use of technology, and processing that prevents people from exercising a right or using a service. The more of these factors present, the more likely a DPIA is required.
What a DPIA must contain
The GDPR specifies the minimum content of a DPIA: a systematic description of the processing operations and their purposes; an assessment of the necessity and proportionality of the processing in relation to those purposes; an assessment of the risks to individuals’ rights and freedoms; and the measures envisaged to address those risks, including safeguards and security measures. These four elements form the backbone of any compliant assessment.
Step one: describe the processing
The assessment begins with a clear description of what data is processed, how, why, for how long, and with whom it is shared. This includes the data flows, the systems involved, and the parties — controllers, processors, sub-processors. A precise description is the foundation for everything that follows; risks cannot be assessed accurately if the processing itself is not well understood.
Step two: assess necessity and proportionality
Next, the DPIA examines whether the processing is necessary and proportionate to its purpose. This means checking that there is a valid lawful basis, that the data is minimised to what is needed, that retention is limited, and that individuals are properly informed and able to exercise their rights. Often this step alone surfaces ways to reduce risk — by collecting less data or shortening retention — before the formal risk analysis even begins.
Step three: assess and mitigate risks
The core of the DPIA is identifying the risks to individuals — such as unauthorised access, misuse, discrimination, or loss of control over their data — evaluating their likelihood and severity, and then defining measures to mitigate them. Mitigations might include encryption, access controls, pseudonymisation, additional transparency, or changes to the processing design. The goal is to reduce residual risk to an acceptable level, documented and justified.
Consulting the supervisory authority
If, after mitigation, the processing would still result in a high residual risk, the controller must consult the supervisory authority before proceeding. This prior consultation is a safeguard for the most serious cases, giving the regulator the chance to advise or intervene. In practice, a well-conducted DPIA usually brings residual risk below this threshold, but the obligation to consult where it does not is a firm requirement.
The DPIA as a living document
A DPIA is not a one-time formality filed away after launch. Processing changes, new risks emerge, and technology evolves, so the assessment should be revisited when the processing changes materially or periodically as good practice. Treating the DPIA as a living document keeps it accurate and keeps the organisation’s risk picture current — which is the whole point of the exercise.
Practical value beyond compliance
Although the DPIA is a legal obligation, organisations that take it seriously find practical value in it. The process clarifies data flows, often reveals unnecessary data collection, and surfaces security gaps before they become incidents. For software companies, integrating a lightweight DPIA step into the design process for new high-risk features turns a compliance requirement into a genuine risk-reduction tool. Innopulse helps DACH organisations build this assessment into their development workflow.
Conclusion
A Data Protection Impact Assessment is the GDPR’s structured, forward-looking process for high-risk processing: describe the processing, test its necessity and proportionality, assess and mitigate the risks, and consult the regulator if high residual risk remains. Required before processing begins and revisited as things change, the DPIA is both a compliance obligation and a practical tool for catching privacy and security problems before they reach real people.