When is a DPIA legally required under the GDPR?

Article 35 requires a DPIA whenever processing is likely to result in a high risk to individuals. The EDPB lists nine criteria, and meeting two or more is a strong indicator that a DPIA is mandatory. Some criteria, such as large-scale special-category data, can trigger the requirement on their own.

What are the nine EDPB criteria this tool uses?

They are evaluation or scoring, automated decision-making with legal effect, systematic monitoring, sensitive or highly personal data, large-scale processing, matching or combining datasets, data on vulnerable subjects, innovative use of new technology, and processing that prevents people exercising a right or using a service. Meeting two usually means a DPIA is needed.

Does this tool store the answers I enter?

No. Every question and the resulting verdict are computed entirely in your browser. Nothing about your processing activity is uploaded, logged or sent to any server, so it is safe to use for sensitive internal projects.

Is a DPIA the same as a record of processing?

No. A record of processing (Article 30) is a register of what you do, while a DPIA is a deeper risk assessment for high-risk activities. The DPIA references your processing record but adds necessity, proportionality and risk-mitigation analysis that the register does not contain.

What happens if my DPIA shows unmitigated high risk?

If, after applying mitigations, the residual risk is still high, Article 36 requires you to consult your supervisory authority (for example the ICO) before starting the processing. This tool flags that outcome so you can plan for the prior-consultation step in good time.

DPIA Helper — Data Protection Impact Assessment

A DPIA Helper that does two jobs in one place: it screens your processing against the nine ICO/EDPB high-risk criteria to tell you whether a Data Protection Impact Assessment is legally required under Article 35 of the GDPR, and then it scaffolds the assessment so you are not staring at a blank page. It is built for data protection officers, project managers and product teams who need a defensible answer to “do we need a DPIA?” before a new system, feature or supplier goes live.

How it works

The tool implements the EDPB’s Guidelines on DPIA (WP248) screening test. Each of the nine criteria — evaluation or scoring, automated decision-making with legal or similarly significant effect, systematic monitoring, special-category or highly personal data, large-scale processing, matching or combining datasets, data concerning vulnerable subjects, innovative use of new technology, and processing that prevents subjects exercising a right — is a yes/no question. The widely used rule of thumb is:

criteria met >= 2   ->  DPIA mandatory
criteria met == 1   ->  borderline, document the decision
criteria met == 0   ->  screen-out, but keep a written record

A single criterion can still demand a DPIA on its own (for example large-scale processing of health data), so the tool treats the count as the floor, not the ceiling, and always advises documenting the reasoning.

Scaffolding the assessment

Once screened in, a compliant DPIA needs four substantive sections: a systematic description of the processing and its purposes, an assessment of necessity and proportionality against that purpose, an identification of risks to the rights and freedoms of data subjects, and the measures envisaged to mitigate those risks. The tool generates this outline with prompts under each heading so your team can fill it in consistently. If residual risk remains high after mitigation, it flags the Article 36 prior-consultation obligation with your supervisory authority.

Everything runs in your browser — no answers about your projects are ever uploaded or stored.