Artifact GuideEU

EU GDPR DPIA and risk management

Use this page to decide when a GDPR data protection impact assessment is needed, what Article 35 requires it to contain, and how to record risk treatment before launch.

Grounded in GDPR Articles 35 and 36 plus CNIL and Irish DPC DPIA guidance on high-risk processing, PIA structure, residual risk, mitigation measures, and prior consultation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
7

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

A GDPR DPIA is not a generic privacy checklist. Article 35 requires the controller to assess planned processing before it starts when the nature, scope, context, and purposes are likely to create a high risk to individuals. The record should show the trigger analysis, the processing description, necessity and proportionality, risks to rights and freedoms, measures selected to address those risks, residual risk, DPO advice where there is a DPO, and whether prior consultation is required before proceeding.

Section 1

When Article 35 requires a DPIA

Start with the planned processing, not with a template. Article 35 applies before processing where a type of processing, especially one using new technologies, is likely to result in a high risk to natural persons after considering the nature, scope, context, and purposes of the processing.

The GDPR lists three cases where a DPIA is particularly required: systematic and extensive automated evaluation or profiling with legal or similarly significant effects, large-scale processing of special category data or criminal-offence data, and large-scale systematic monitoring of a publicly accessible area. A single DPIA may cover similar processing operations that present similar high risks.

  • Screen new products, material feature changes, new data uses, monitoring, profiling, sensitive-data processing, and large-scale operations before launch.
  • Record the facts used in the trigger decision: technology, data categories, data-subject groups, scale, geography, duration, purpose, monitoring, profiling, and effect on access to rights, services, or contracts.
  • If several high-risk operations are similar, document why one DPIA covers the set rather than leaving each operation unassessed.
  • If the controller decides no DPIA is needed despite risk indicators, keep the documented reason with the processing record and reassess when risk changes.
Sources for this answer
Regulation (EU) 2016/679 (GDPR), Articles 35 and 36
Article 35 sets the high-risk trigger, examples requiring DPIAs, minimum DPIA content, DPO-advice requirement, data-subject views, and review duty; Article 36 sets prior consultation limits.
Irish Data Protection Commission - Data Protection Impact Assessments
DPC guidance explains high-risk screening, WP29-style risk criteria, and documentation of reasons when a DPIA is not carried out.
Section 2

What the DPIA must contain

Article 35(7) gives the minimum contents: a systematic description of the envisaged processing and purposes, an assessment of necessity and proportionality, an assessment of risks to individuals' rights and freedoms, and measures envisaged to address those risks and demonstrate GDPR compliance.

Treat the DPIA as an evidence package. The DPC sample structure and CNIL templates both point toward a processing overview, data and recipient map, consultation record, necessity and proportionality analysis, risk table, mitigation plan, residual-risk approval, DPO advice where applicable, and review owner.

  • Describe processing operations across collection, use, storage, sharing, access, retention, and deletion rather than only naming the product.
  • Map data categories, recipients, retention periods, processors, transfers, supporting assets, and data flows.
  • Explain why the processing is necessary for its purpose and why less intrusive alternatives, minimisation, shorter retention, or narrower access are not sufficient.
  • Link each risk to specific measures, such as safeguards, security controls, governance controls, privacy notices, data-subject rights handling, processor terms, or transfer controls.
  • Save the DPO's advice when there is a designated DPO and record where data-subject or representative views were sought or why consultation was not appropriate.
Sources for this answer
Regulation (EU) 2016/679 (GDPR), Article 35(7)
Article 35(7) is the binding source for the minimum DPIA elements.
CNIL Privacy Impact Assessment (PIA) templates
CNIL templates provide practical fields for context, data, proportionality, rights controls, security-risk analysis, action plans, residual risk, and formal validation.
Irish Data Protection Commission - Data Protection Impact Assessments
DPC guidance provides a DPIA workflow and sample template fields for risk assessment, mitigation, residual risk, sign-off, and review.
Section 3

CNIL and DPC risk-management method

CNIL frames a PIA around four linked steps: context, fundamental principles, risks, and validation. It separates non-negotiable legal principles from risk treatment, so a team cannot accept a high business benefit as a substitute for lawful purpose, minimisation, transparency, rights handling, processor control, or transfer compliance.

For risk analysis, CNIL asks teams to identify feared events, impacts, threats, risk sources, vulnerabilities, severity, and likelihood. The DPC guidance similarly expects a methodological risk record and allows use of the organisation's existing risk tools if they capture data-protection risks and the measures selected to reduce them.

  • Use the context step to name the controller, processors, purposes, processing stakes, personal data, recipients, retention, data flows, and supporting assets.
  • Use the fundamental-principles step to test purpose limitation, lawful basis, minimisation, accuracy, storage limitation, transparency, consent where relevant, data-subject rights, processor governance, and transfers.
  • Use the risk step to rate likelihood and severity for confidentiality, integrity, availability, and other harms to individuals, then document the technical and organisational measures selected.
  • Use the validation step to map initial and residual risk, approve or reject measures, assign action owners, and record whether processing is validated, conditional on improvement, or refused.
Sources for this answer
CNIL Privacy Impact Assessment (PIA) methodology
CNIL methodology grounds the four-step PIA method, likelihood/severity risk assessment, stakeholder roles, continuous improvement, and residual-risk validation.
Irish Data Protection Commission - Data Protection Impact Assessments
DPC guidance supports using a data-protection risk register and documenting risk sources, likelihood, severity, mitigation options, and residual risk.
Section 4

Residual risk, mitigation, and project approval

A DPIA is useful only if it records what changed because of the assessment. For every material risk, identify the measure selected, the risk-reduction effect expected, the owner, implementation timing, and the remaining risk after the measure. CNIL calls those remaining risks residual risks, and its method requires the controller to decide whether selected controls, residual risks, and the action plan are acceptable.

The DPC guidance is explicit that not all risks can be eliminated. Teams can proceed without prior consultation when risks have been identified and mitigated so that no residual high risk remains, but accepted residual high risks require escalation before the project moves forward.

  • Do not mark a risk as mitigated unless the DPIA states how the measure reduces that specific likelihood, severity, exposure, or impact.
  • Keep medium and high risks in a register with mitigation options, approval status, residual rating, and implementation owner.
  • Require a named approval for accepted residual risk and a separate sign-off for measures that still need implementation.
  • Build the accepted measures back into the product, security, procurement, retention, support, and incident-response plans so the DPIA does not sit outside delivery.
  • Review the DPIA when the risk changes, including changes in data, purpose, functionality, supporting assets, threats, vulnerabilities, or affected groups.
Sources for this answer
CNIL Privacy Impact Assessment (PIA) methodology
CNIL methodology supports re-assessing risks after additional controls, determining residual risks, and formally validating or refusing the PIA.
Irish Data Protection Commission - Data Protection Impact Assessments
DPC guidance supports mitigation planning, residual-risk approval, continuing review, and consulting the DPC where residual high risk remains.
Regulation (EU) 2016/679 (GDPR), Article 35(11)
Article 35(11) requires review where necessary, at least when there is a change of the risk represented by processing operations.
Section 5

Prior consultation limits under Article 36

Prior consultation is not a general authority pre-clearance step for every DPIA. Article 36 requires the controller to consult the supervisory authority before processing where the Article 35 DPIA indicates that the processing would result in high risk in the absence of measures taken by the controller to mitigate that risk.

The DPC guidance states the operational boundary in practical terms: if identified risks have been mitigated, consultation is not necessary before proceeding; if residual risk remains high, the controller must consult before moving forward. Even where consultation is not required, the DPIA record should be retained, updated, and available for later audit or investigation.

Does every high-risk GDPR project need a DPIA?

A DPIA is required where the planned processing is likely to result in a high risk to individuals, including the Article 35 examples for significant automated evaluation, large-scale special-category or criminal-offence data, and large-scale systematic monitoring of a publicly accessible area.

What should teams do with residual high risk after a DPIA?

They should not treat the DPIA as complete project approval. The residual high risk must be recorded, mitigation gaps should be clear, and prior consultation with the supervisory authority is required before processing moves forward.

Is publishing a GDPR DPIA mandatory?

The DPC guidance says publishing is not legally mandatory. A controller may publish a summary to support transparency, but should avoid exposing security vulnerabilities or commercially sensitive details.

  • Escalate before launch when the DPIA shows residual high risk after planned measures, or when the measures are insufficiently identified or insufficiently mitigate the risk.
  • Do not use prior consultation to outsource basic DPIA work; complete the processing description, risk assessment, measures, residual-risk decision, and DPO advice first.
  • Keep the prior-consultation decision separate from publication decisions: publishing a DPIA is not generally mandatory, and public summaries should avoid exposing security vulnerabilities or commercially sensitive details.
  • Do not add country-specific consultation forms, national deadlines, or authority procedures unless those exact facts are grounded for the relevant jurisdiction.
Sources for this answer
Regulation (EU) 2016/679 (GDPR), Article 36
Article 36 grounds the prior consultation trigger and the supervisory authority's role where risk is insufficiently identified or mitigated.
Irish Data Protection Commission - Data Protection Impact Assessments
DPC guidance clarifies when consultation is not necessary, when residual high risk requires consultation, and why DPIA records should still be retained and updated.
Recommended next step

Use this Article 35 guide as a DPIA review checklist

Sorena can turn the DPIA triggers, risk register, mitigation plan, residual-risk approval, and prior-consultation checks on this page into cited implementation tasks.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about DPIA triggers, Article 35 contents, risk treatment, residual risk, and Article 36 prior consultation.

Explore next step
Talk to Sorena
Talk through implementation

Review a DPIA workflow, risk register, mitigation record, or residual-risk escalation path with Sorena.

Explore next step
Primary sources

References and citations

CNIL Privacy Impact Assessment (PIA) methodology
cnil.fr
Referenced sections
  • CNIL methodology supports re-assessing risks after additional controls, determining residual risks, and formally validating or refusing the PIA.
"determine the residual risks"
CNIL Privacy Impact Assessment (PIA) templates
cnil.fr
Referenced sections
  • CNIL templates provide practical fields for context, data, proportionality, rights controls, security-risk analysis, action plans, residual risk, and formal validation.
"used as a complement"
Regulation (EU) 2016/679 (GDPR), Article 36
eur-lex.europa.eu
Referenced sections
  • Article 36 grounds the prior consultation trigger and the supervisory authority's role where risk is insufficiently identified or mitigated.
"consult the supervisory authority prior to processing"
Regulation (EU) 2016/679 (GDPR), Articles 35 and 36
eur-lex.europa.eu
Referenced sections
  • Article 35 sets the high-risk trigger, examples requiring DPIAs, minimum DPIA content, DPO-advice requirement, data-subject views, and review duty; Article 36 sets prior consultation limits.
"likely to result in a high risk"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.