GRC Answer
When is a DPIA required under the GDPR?
A Data Protection Impact Assessment (DPIA) is mandatory under GDPR Article 35 whenever processing is likely to result in a high risk to the rights and freedoms of individuals. Article 35(3) names three cases that always require one: systematic and extensive profiling with legal effects, large-scale special-category data processing, and systematic monitoring of a publicly accessible area at scale. The EDPB adds nine criteria; two or more typically require a DPIA. Acuna's data privacy management carries a built-in screener against the EDPB criteria on every processing activity, so the question is answered as part of recording the activity, not as a separate project.
Related questions