When Is a DPIA Mandatory — and What Happens If You Skip One?

Q: When is a DPIA mandatory under UK GDPR?

Under Article 35 of UK GDPR, a DPIA is mandatory where processing is likely to result in a high risk to individuals' rights and freedoms. The ICO has published a list of nine processing types that always require a DPIA, including large-scale use of special category data, systematic monitoring of publicly accessible areas, and large-scale profiling. A DPIA must be completed before the processing begins.

Q: What happens if you skip a mandatory DPIA?

Failing to carry out a mandatory DPIA is itself a breach of UK GDPR, independent of whether the underlying processing causes any harm. The ICO can take enforcement action including issuing fines. Under Article 83(4), failures to conduct a required DPIA are subject to fines of up to £8.7 million or 2% of global annual turnover.

Q: Who is responsible for carrying out a DPIA?

The data controller is responsible for ensuring a DPIA is carried out. In practice, the DPO advises on whether a DPIA is required, what it should cover, and reviews the completed assessment. The DPO does not make the final decision on whether to proceed with the processing — that responsibility rests with the controller.

Data Protection Impact Assessments are one of the most important — and most commonly deferred — tools in an organisation's compliance toolkit. Many organisations are aware that DPIAs exist but treat them as a bureaucratic exercise to be completed after a decision has already been made, rather than as a genuine risk assessment that should inform whether and how processing proceeds.

This approach misunderstands both the purpose and the legal status of the DPIA. Where one is required, it must be completed before the processing begins. And where an organisation fails to conduct a required DPIA, it is in breach of UK GDPR from the moment the processing starts — regardless of whether any individual is harmed as a result.

What Is a DPIA and What Is It For?

A Data Protection Impact Assessment is a structured process for identifying and mitigating the privacy risks of a new processing activity before it begins. It requires the organisation to think systematically about what data is being processed, why, what could go wrong, and what steps are being taken to reduce the risk to individuals.

The DPIA is not primarily a documentation exercise — it is a decision-making tool. Its purpose is to identify whether the risks of a processing activity are acceptable, and if not, what changes would make them so. In some cases, a properly conducted DPIA will lead an organisation to redesign a processing activity, limit its scope, or abandon it entirely. That outcome — however uncomfortable — is precisely what the DPIA process is designed to produce.

Key principle

A DPIA must be completed before processing begins — not after. Conducting a retrospective DPIA to document a decision that has already been implemented does not satisfy the requirement and does not cure the breach that occurred when processing started without one.

When Is a DPIA Legally Required?

Article 35 of UK GDPR requires a DPIA where processing is likely to result in a high risk to the rights and freedoms of individuals. This is a broad standard, and the ICO has published a list of nine processing types that, in its view, always meet this threshold. Where any of these apply, a DPIA is mandatory — there is no discretion.

Automated decision-making with significant effects

Processing that involves automated decision-making, including profiling, which produces legal effects or similarly significantly affects individuals — such as automated credit scoring, recruitment screening or insurance underwriting.

Large-scale processing of special category data

Processing special category data — health, biometric, genetic, racial or ethnic origin, religious beliefs, trade union membership, sexual orientation — or criminal conviction data on a large scale.

Systematic monitoring of publicly accessible areas

Large-scale systematic monitoring of a publicly accessible area, such as CCTV or surveillance systems covering public spaces, transport hubs, shopping centres or similar locations.

Matching or combining datasets

Combining, matching or cross-referencing datasets from different sources in ways that go beyond what individuals would reasonably expect — particularly where the combination reveals new information about them.

Processing data about vulnerable individuals

Processing involving individuals who are particularly vulnerable relative to the controller — including children, patients, employees, people with mental health conditions, and asylum seekers.

Innovative or untested technology

Using new or cutting-edge technologies where the privacy implications are not yet fully understood — including AI-driven processing, Internet of Things devices, facial recognition, location tracking and similar technologies.

Data transfer or denial of service

Processing that prevents individuals from exercising a right or using a service or contract — for example, automated systems used by banks to screen customers, or processing used to decide access to public services.

Large-scale profiling

Profiling individuals on a large scale — building detailed profiles of their behaviour, preferences, movements or characteristics from data collected across multiple sources or over extended periods.

Biometric or genetic data for identification

Processing biometric data for the purpose of uniquely identifying individuals — such as fingerprint readers for building access, facial recognition for timekeeping, or genetic testing for employment purposes.

Where two or more of these criteria apply simultaneously, a DPIA is almost certainly required. But the list is not exhaustive — other processing activities may also require a DPIA if a preliminary risk assessment indicates high risk even though none of the nine criteria are met.

The Two-Criteria Test: When You're Not Sure

For processing that does not clearly fall within one of the nine ICO criteria, the ICO recommends applying a two-part preliminary assessment. A DPIA is likely required if the processing involves two or more of the following factors:

Evaluation or scoring of individuals (including profiling)
Automated decision-making with significant effects
Systematic monitoring
Sensitive data or data of a highly personal nature
Processing of data at large scale
Matching or combining datasets
Data concerning vulnerable data subjects
Innovative use of or applying new technological or organisational solutions
Processing that involves preventing individuals from exercising a right or using a service

Where two or more of these factors apply, a DPIA should be conducted as a matter of good practice — and in most cases will be legally required.

Don't wait for certainty

Organisations sometimes defer a DPIA because they are not certain whether it is legally required. This is the wrong approach. The cost of conducting a DPIA that turns out not to have been strictly necessary is low. The cost of failing to conduct one that was required — including ICO enforcement and the reputational consequences of a compliance failure — is significantly higher.

What Must a DPIA Contain?

Article 35(7) of UK GDPR sets out the minimum content requirements for a DPIA. It must include:

A systematic description of the processing

What data is being processed, by whom, for what purpose, on what legal basis, and how long it will be retained. This should include the nature, scope, context and purposes of the processing in sufficient detail to enable meaningful risk assessment.

An assessment of necessity and proportionality

Why is this processing necessary to achieve the purpose? Could the same purpose be achieved with less data, less intrusive means, or a lower-risk approach? Is the processing proportionate to the benefit it delivers?

An assessment of risks to individuals

What are the risks to the rights and freedoms of data subjects? This should consider both the likelihood and severity of potential harms — including financial loss, discrimination, reputational damage, loss of control over personal data, and physical harm.

The measures to address those risks

What technical and organisational measures are being implemented to mitigate the identified risks? How do those measures reduce the likelihood or severity of the potential harms? What residual risk remains after mitigation?

In addition to these minimum requirements, the DPIA should document the views of the DPO and, where appropriate, the views of data subjects or their representatives. If a DPO has been appointed, they must be consulted as part of the DPIA process — Article 35(2) makes this a specific requirement.

When Must You Consult the ICO?

Where a DPIA concludes that a high risk remains after all available mitigations have been applied, Article 36 of UK GDPR requires the organisation to consult the ICO before proceeding with the processing. This is known as prior consultation.

Prior consultation is relatively rare in practice — it only applies where the residual risk after mitigation remains high. But it is a real mechanism, and organisations that proceed with high-risk processing without consulting the ICO when required are in breach of Article 36 as well as Article 35.

The ICO has eight weeks to respond to a prior consultation request, and may advise the organisation to modify or abandon the processing activity. Proceeding in the face of ICO advice to the contrary creates significant regulatory exposure.

Not sure whether your processing requires a DPIA?

Our outsourced DPO service includes DPIA advice, assessment and oversight as a core part of the service — so new processing activities are assessed before they begin, not after. From £695/month, no long-term commitment.

Book a Free Consultation →

What Happens If You Skip a Mandatory DPIA?

Failing to carry out a required DPIA is a breach of Article 35 of UK GDPR — independent of whether the underlying processing causes any harm to individuals. The enforcement consequences can include:

ICO investigation — if a complaint is made or the ICO identifies the processing through another route, the absence of a DPIA will be examined as part of any investigation into the organisation's compliance posture
Fines under Article 83(4) — failures to conduct a required DPIA are subject to fines of up to £8.7 million or 2% of global annual turnover — the lower tier of UK GDPR fines
Enforcement notice — the ICO can require the organisation to stop the processing until a DPIA has been completed and any necessary changes implemented
Aggravated treatment in related investigations — if a data breach or other incident occurs in connection with processing for which no DPIA was conducted, the absence of the assessment will be treated as an aggravating factor in the ICO's overall assessment of the organisation's compliance

Perhaps most importantly, a DPIA that is not conducted cannot identify risks that, if identified, might have been mitigated before harm occurred. The regulatory consequences of skipping a DPIA are serious — but the practical consequences of unmitigated risk to individuals can be more serious still.

Frequently Asked Questions

When is a DPIA mandatory under UK GDPR?

A DPIA is mandatory where processing is likely to result in high risk to individuals' rights and freedoms. The ICO has identified nine processing types that always require a DPIA. Beyond those, a preliminary two-factor assessment helps identify whether other processing activities also require one.

What happens if you skip a mandatory DPIA?

Failing to conduct a required DPIA is itself a breach of UK GDPR, regardless of whether harm results. The ICO can investigate and impose fines of up to £8.7 million or 2% of global annual turnover. The absence of a DPIA is also treated as an aggravating factor in any related investigation.

Who is responsible for carrying out a DPIA?

The data controller is responsible for ensuring a DPIA is conducted. In practice, the DPO advises on whether one is required, what it should cover, and reviews the completed assessment. The final decision on whether to proceed with processing rests with the controller, not the DPO.

Does the DPO have to be involved in every DPIA?

Yes — where a DPO has been appointed, Article 35(2) requires them to be consulted as part of the DPIA process. The DPO's views, and whether or not they were followed, should be documented in the assessment.

Can you carry out a DPIA retrospectively?

A retrospective DPIA does not cure the breach that occurred when processing started without one. However, conducting a retrospective DPIA is better than not conducting one at all — it may identify risks that can still be mitigated, and demonstrates a commitment to compliance that the ICO will take into account in any enforcement assessment.

How often should a DPIA be reviewed?

A DPIA should be reviewed whenever there is a change to the processing activity that could affect the risk assessment — new data types, new purposes, new technologies, new recipients. There is no fixed review cycle, but as part of good governance the DPO should confirm that existing DPIAs remain current at least annually.