Mandatory or voluntary data protection impact assessment?

View as Markdown
1 min read • Simon • GDPR • 17 December 2025
  1. Common misconceptions that undermine a data protection impact assessment
  2. How to conduct a data protection impact assessment step by step
  3. When companies need help with a data protection impact assessment

A Data Protection Impact Assessment (DPIA) is, in some cases, a legal requirement under Article 35 GDPR. This applies where a processing operation is likely to result in a high risk to the rights and freedoms of individuals. In other situations, a DPIA can be carried out voluntarily as part of strengthening data protection and demonstrating accountability.

By conducting a DPIA even where GDPR does not mandate it, a company gains a clear view of risks and mitigating measures, which can reduce the likelihood of sanctions in the event of an investigation. Where processing is sensitive from a privacy perspective, it can be difficult to draw a clear line as to whether a specific operation requires a DPIA. In such borderline cases, it is often prudent to conduct a DPIA, as the structured process helps the controller to map risks and possible mitigating measures. When the processing is privacy-sensitive, carrying out the assessment in marginal cases also demonstrates particular accountability.

Common misconceptions that undermine a data protection impact assessment

Preparing a DPIA is not a one-off exercise to be completed and then forgotten. A common misconception is that the risk assessment can be undertaken without first mapping the processing in full. Without an accurate factual basis, there is a risk of overlooking central threats to privacy. This can lead to inadequate or wholly ineffective mitigating measures.

  • No complete overview of the processing of personal data: the DPIA is conducted on incorrect or incomplete information.
  • Incorrect risk analysis: the assessment fails to consider likelihood and severity in accordance with Article 35 GDPR.
  • No action plan: the company documents risks but does not describe how they will be addressed.

To avoid these pitfalls, the DPIA needs to be integrated into the entire data protection programme. This means updating the DPIA when changes occur, embedding measures with responsible owners, and documenting everything in line with GDPR’s accountability requirement. With the right support, a DPIA becomes a powerful tool for strengthening both compliance and trust.

How to conduct a data protection impact assessment step by step

A well-executed DPIA follows a clear structure from initiation to follow-up. First, identify and map the personal data involved. Next, analyse the risks that arise and the potential consequences for data subjects. Once the risks are established, document planned measures that reduce the risk to an acceptable level.

  • Map the processing: describe the purposes, categories of personal data, data flows and external recipients.
  • Assess necessity and proportionality: verify that the processing is necessary and proportionate to the purposes.
  • Analyse risks: identify potential consequences for data subjects.
  • Plan risk treatments: describe technical and organisational security measures.
  • Document and follow up: ensure the DPIA is updated when changes occur.

By working systematically, the DPIA becomes a living document that strengthens the organisation’s control over data protection. It also demonstrates to the Data Protection Authority that the company takes risk management seriously and follows GDPR principles.

When companies need help with a data protection impact assessment

Carrying out a DPIA can feel overwhelming to do alone; this is unsurprising, as a DPIA is extensive and requires deep insight into the processing of personal data within its scope. Particularly where processing is complex, with many systems, suppliers and internal stakeholders, the work can be time-consuming. Many companies therefore turn to external consultants to ensure the assessment has the right quality and scope. We often find that external support can identify risks missed internally or improve the efficiency of preparing a DPIA.

At Morling Consulting, we support the entire process – from mapping to a completed DPIA and follow-up. Our work delivers a robust data protection impact assessment. We also provide advice from a DPO perspective and can act as your external Data Protection Officer when you need a long-term partner for data protection and compliance.

AML compliance officer reviewing customer due diligence, risk assessment and monitoring alerts, with compliance checklist and legal shield icon.

22 January 2026

Role and responsibilities of the AML specialist – a compliance perspective
Read more
Illustration of a legal professional at a desk with a digital interface showing structured regulatory compliance, internal controls, and AML processes for financial institutions.

21 January 2026

Exemptions for financial activities, prior notification and internal controls under the AMLR
Read more
Lawyer consulting a client at a desk, discussing legal advice and compliance documents, with contract approval icons on screen.

20 January 2026

When to ask a lawyer for faster answers at lower cost
Read more