Is a DPIA mandatory for my SME?

Probably not for your standard processing (customer management, payroll, accounting). A DPIA becomes mandatory when you carry out high-risk processing, such as large-scale profiling, systematic monitoring, or large-scale processing of special category data.

What happens if I don't carry out a DPIA when it's required?

The supervisory authority can impose a fine. In practice, it's also a risk for your organisation: without a DPIA you haven't mapped the risks and may be taking insufficient measures.

Can I carry out a DPIA myself?

Yes, the GDPR does not prescribe a specific format. You can carry out a DPIA yourself using a template. For complex processing, it is advisable to seek advice from a privacy specialist.

How long does a DPIA take?

That depends on the complexity of the processing. A simple DPIA for a single processing activity can be completed in a few hours. For complex systems, it can take weeks.

DPIA Data Protection Impact Assessment - When Is It Mandatory?

A DPIA (Data Protection Impact Assessment) is only mandatory for high-risk processing. This article explains when you need one, when you don't, and how to carry one out.

What is a DPIA?

A DPIA (Data Protection Impact Assessment) is an assessment of the risks that a particular processing of personal data poses to the individuals concerned. The GDPR requires this in Article 35 for processing that poses a high risk to the rights and freedoms of natural persons.

In plain language: you assess in advance whether a processing activity could cause problems for the people whose data you process, and what you do to mitigate those risks.

When is a DPIA mandatory?

The GDPR names three situations where a DPIA is always required:

1. Systematic and extensive profiling with significant effects Think of: a bank that automatically decides on credit applications based on profile data, or an insurer that calculates premiums based on extensive behavioural analysis.

2. Large-scale processing of special categories of data Special categories include health data, biometric data, data on race or religion, and criminal records. A hospital managing patient records falls under this. An SME that happens to know an employee is diabetic does not.

3. Large-scale, systematic monitoring of publicly accessible areas The classic example is an extensive CCTV system in a shopping centre or city centre.

Additionally, supervisory authorities publish lists of processing operations that require a DPIA. These typically include:

Use of biometric data for identification
Merging databases from different sources
Systematic monitoring of employees
Large-scale processing of data from vulnerable persons (children, elderly, patients)

When do you NOT need a DPIA?

Most SMEs carry out standard processing that does not pose a high risk. A few examples:

Customer management in a CRM - you store contact details and order history. No special categories, no profiling. No DPIA needed.
Payroll and HR administration - name, address, salary data, contracts. Standard processing. No DPIA needed.
Sending newsletters - email addresses with consent. No DPIA needed.
Accounting and invoicing - billing data for customers and suppliers. No DPIA needed.
A few security cameras at your premises, as long as it’s not large-scale and systematic. Usually no DPIA needed (but for larger installations, see our guide on CCTV surveillance).

The rule of thumb: if you process data in a way comparable to what thousands of other SMEs also do, you’re unlikely to need a DPIA.

How do you carry out a DPIA?

If you do need a DPIA, follow these steps:

Step 1: Describe the processing

Document:

Which personal data you process
The purpose
The legal basis (e.g. legitimate interest, consent)
Who has access
How long you retain the data
Which technology you use

Step 2: Assess necessity and proportionality

Ask yourself:

Is this processing truly necessary for the purpose?
Can I achieve the purpose with less data or a less intrusive method?
Is the retention period no longer than necessary?

Step 3: Identify the risks

Look at the risks from the perspective of the data subject, not your own organisation. Consider:

What if the data leaks? How bad is that for the data subject?
What if the data is inaccurate? What are the consequences?
Do data subjects have sufficient control over their data?

Step 4: Determine measures

For each risk, determine which measures you take to mitigate it:

Technical measures (encryption, access control, pseudonymisation)
Organisational measures (training, procedures, contracts)
Limitations on the processing itself (less data, shorter retention period)

Step 5: Document and maintain

Record everything in a document. A DPIA is not a one-off exercise; you must update it when the processing changes, when new risks arise, or when the technology changes.

Practical advice for SMEs

Check the supervisory authority’s list - see whether your processing operations appear on the mandatory DPIA list
Start with your records of processing activities - if those are in order, you can quickly see which operations may require a DPIA
Use a template - you don’t need to reinvent the wheel. Supervisory authorities provide templates
Seek advice if in doubt - if you’re unsure whether you need a DPIA, it’s wiser to carry one out than to ignore it

auto_awesome Do you know if you need a DPIA?

GDPRWise analyses your processing activities and gives you a clear answer: DPIA needed or not. And if you do, we help you get started.

Start your free scan

DPIA: When Is a Data Protection Impact Assessment Required?