Data Protection Impact Assessment for AI
A Data Protection Impact Assessment (DPIA) is mandatory for many AI projects — and even without obligation, it's a valuable tool to systematically identify and minimize data protection risks.
When Is a DPIA Mandatory?
Under Art. 35 GDPR, a DPIA is mandatory when processing is likely to result in a high risk to the rights and freedoms of natural persons. For AI, this often applies:
Mandatory for AI when at least two criteria are met:
- Profiling and scoring: AI evaluates or classifies individuals
- Automated decisions: AI makes decisions with legal effect
- Systematic monitoring: AI monitors behavior or activities
- Sensitive data: Processing special categories (health, biometrics)
- Large-scale data: Processing data of many individuals
- New technologies: AI is considered "new technology" per se
- Vulnerable groups: Affected persons are employees, children, patients
Practical rule: For most AI systems processing personal data, a DPIA is recommended — when in doubt, conduct one.
How to Conduct a DPIA
Phase 1: Description of Processing
- What exactly does the AI system do?
- What personal data is processed?
- What legal basis applies?
- Who has access to the data?
- How long is data stored?
Phase 2: Assessment of Necessity and Proportionality
- Is AI the least intrusive means for the purpose?
- Are only necessary data processed (data minimization)?
- Are there alternatives with less data protection risk?
Phase 3: Risk Assessment
For each identified risk, assess:
| Risk | Likelihood | Severity | Risk Level |
|---|
| Unintended bias discrimination | Medium | High | High |
| Data leak to provider | Low | High | Medium |
| Wrong automated decision | Medium | Medium | Medium |
Phase 4: Risk Mitigation Measures
Define concrete countermeasures for each risk:
- Technical measures (encryption, anonymization, access controls)
- Organizational measures (training, four-eyes principle, audits)
- Contractual measures (DPA, liability clauses, SLA)
Phase 5: Documentation and Review
- Document DPIA in writing
- Involve the Data Protection Officer
- Update regularly (at least annually or on changes)
DPIA Template for AI Projects
A practical checklist for your DPIA:
- ☐ Processing purpose described
- ☐ Data types and affected persons identified
- ☐ Legal basis reviewed and documented
- ☐ Necessity and proportionality assessed
- ☐ Risks identified and evaluated
- ☐ Measures defined and implemented
- ☐ Data Protection Officer consulted
- ☐ Next review date set
When to Consult the Supervisory Authority?
If after the DPIA a high residual risk remains that cannot be further minimized, you must consult the competent supervisory authority (Art. 36 GDPR) — before starting the processing.
Practical Tip: Don't conduct the DPIA as a one-time compliance exercise, but as a living document. Every model update, every expansion of the use case requires an update.