A Data Protection Impact Assessment (DPIA) is a process required by GDPR Article 35 to evaluate the privacy risks of data processing activities that are likely to result in high risk to the rights and freedoms of individuals. LowerPlane provides a structured workflow for creating, conducting, and managing DPIAs.

When Is a DPIA Required

GDPR mandates a DPIA before starting any processing that is likely to result in high risk. The following activities typically require a DPIA:
  • Systematic and extensive profiling with significant effects on individuals
  • Large-scale processing of special category data (health, biometric, racial/ethnic origin, political opinions, religious beliefs)
  • Systematic monitoring of publicly accessible areas on a large scale
  • Automated decision-making including profiling that produces legal or similarly significant effects
  • Large-scale processing of personal data (e.g., processing data of an entire city’s population)
  • Innovative technologies where the privacy impact is not yet well understood
  • Data matching or combining datasets from different sources
  • Processing data of vulnerable individuals (children, employees, patients)
Failing to conduct a DPIA when required is a direct GDPR violation. Supervisory authorities can impose fines for missing or inadequate DPIAs, even if no data breach occurs.

Creating a DPIA

1

Navigate to GDPR > DPIA

Open the DPIA section from the GDPR module.
2

Click Create DPIA

Start a new assessment. You can link it to an existing ROPA entry to pre-populate processing details.
3

Describe the processing

Document the nature, scope, context, and purposes of the processing activity being assessed.
4

Assess necessity and proportionality

Evaluate whether the processing is necessary for the stated purpose and whether less intrusive alternatives exist.
5

Identify and assess risks

Document the risks to data subjects’ rights and freedoms, assessing both likelihood and severity.
6

Define mitigation measures

For each identified risk, document the measures you will implement to reduce the risk to an acceptable level.
7

Record the outcome

Document the final decision: proceed, proceed with modifications, or do not proceed.

DPIA Structure

Each DPIA in LowerPlane contains the following sections:

Processing Description

FieldDescription
Activity nameThe processing activity being assessed
Data controllerOrganization responsible for the processing
Data processorThird parties processing data on your behalf (if applicable)
PurposeWhy the data is being processed
Data categoriesTypes of personal data involved
Data subjectsCategories of individuals affected
Data volumeApproximate number of records or individuals
Technology usedSystems and tools involved in the processing

Necessity and Proportionality

Document your assessment of:
  • Is the processing necessary to achieve the stated purpose?
  • Could the purpose be achieved with less data or a less intrusive method?
  • Is the amount of data collected proportionate to the purpose?
  • What is the legal basis for processing?

Risk Assessment

For each identified risk, record:
FieldDescription
Risk descriptionWhat could go wrong for data subjects
LikelihoodLow, medium, or high probability of occurrence
SeverityLow, medium, or high impact on data subjects
Risk levelCombined assessment (likelihood x severity)
Source of riskWhere the risk originates (technology, process, people)
Common risks to assess include:
  • Unauthorized access to personal data
  • Accidental data disclosure or loss
  • Inaccurate data leading to incorrect decisions
  • Excessive data collection beyond what is necessary
  • Insufficient data retention controls
  • Cross-border transfer risks

Mitigation Measures

For each risk, document the measures that reduce it to an acceptable level:
  • Technical measures (encryption, access controls, anonymization, pseudonymization)
  • Organizational measures (training, policies, procedures, audits)
  • Contractual measures (data processing agreements, SCCs)
  • Monitoring measures (logging, alerting, periodic reviews)
Link mitigation measures to specific LowerPlane controls where possible. This creates a direct connection between your DPIA commitments and your compliance monitoring.

Outcome and Decision

Record the final assessment outcome:
  • Proceed — Risks are acceptable given the mitigation measures in place
  • Proceed with modifications — Processing can proceed after additional measures are implemented
  • Do not proceed — Risks cannot be sufficiently mitigated; consult the supervisory authority
  • Consult supervisory authority — Required under Article 36 when residual risk remains high

Managing DPIAs

Review and Update

DPIAs are not one-time documents. Review and update them when:
  • The processing activity changes (new data types, new purposes, new technology)
  • New risks are identified
  • Mitigation measures prove ineffective
  • The regulatory environment changes
  • Significant time has passed since the last review (recommended: annually)

Approval Workflow

DPIAs should be reviewed and approved by:
  1. The Data Protection Officer (if appointed)
  2. The processing activity owner
  3. Relevant stakeholders (IT security, legal, business unit)
LowerPlane tracks approval status and approval dates for each DPIA.

Exporting DPIAs

Export completed DPIAs as PDF documents for:
  • Supervisory authority consultations
  • Audit evidence packages
  • Internal governance records
  • Stakeholder communication

DPIA as Compliance Evidence

Completed DPIAs serve as evidence for:
GDPR ArticleRequirement
Article 35Conducting DPIAs for high-risk processing
Article 36Prior consultation with supervisory authority (when applicable)
Article 24Demonstrating compliance (accountability principle)
Article 25Data protection by design and by default
Article 32Appropriate security measures (via mitigation documentation)
Even if a DPIA concludes that risks are acceptable, the completed assessment itself is valuable evidence of your organization’s accountability and due diligence under GDPR.