A DPIA is a structured risk assessment you must conduct before starting any data processing that is likely to result in a high risk to individuals. Under GDPR Article 35, this is mandatory when you use new technologies, process data at large scale, systematically monitor public areas, or make automated decisions with legal effects. For AI startups, a DPIA is almost always required because AI processing typically involves profiling, automated decision-making and large-scale data analysis.
How to conduct a DPIA:
- Describe the processing: What data do you process, where does it come from, how does it flow through your systems, and what is the output? Include your AI model's role in the processing chain.
- Assess necessity and proportionality: Is this processing actually necessary for your purpose? Could you achieve the same goal with less data or a less invasive approach?
- Identify risks to individuals: What could go wrong from the data subject's perspective? Consider discrimination, financial loss, reputational damage, loss of confidentiality, and loss of control over personal data.
- Define mitigating measures: For each risk, describe what you will do to reduce it. Examples: anonymisation, access restrictions, human oversight for automated decisions, data minimisation, encryption.
- Document and review: A DPIA is a living document. Review it when your processing changes, when you update your AI model, or at least annually.
When is a DPIA required?
- Automated decision-making with legal or significant effects (e.g. credit scoring, hiring tools)
- Large-scale processing of sensitive data (health, biometrics, political opinions)
- Systematic monitoring of publicly accessible areas
- Using new technologies (AI, machine learning, IoT) for processing personal data
The ICO DPIA guidance provides templates and examples. Tidal Control provides a DPIA workflow that guides you through each step, links findings to your risk register and generates audit-ready documentation.