Under GDPR Article 35, you must carry out a Data Protection Impact Assessment (DPIA) before any processing that is likely to result in a high risk to the rights and freedoms of individuals. DataShield HQ provides a guided 5-step DPIA wizard with risk scoring, mitigation tracking, and DPO approval workflow.
When is a DPIA required?
A DPIA is required when two or more of these criteria apply:
- Large-scale processing of personal data
- Systematic monitoring of publicly accessible areas
- Special category data (health, biometric, racial origin, etc.)
- Automated decision-making or profiling with legal effects
- Innovative or novel technology
- Vulnerable data subjects (children, employees, patients)
DataShield HQ automatically alerts you when the threshold is met.
Creating a new DPIA
- Click Impact Assessments in the left-hand navigation menu (under Compliance).
- Click New DPIA.
- The 5-step wizard will guide you through:
Step 1 – Screening: Toggle the Art. 35 criteria that apply. An alert will appear if a DPIA is required.
Step 2 – Processing Description: Enter the DPIA title, legal basis, processing description, purpose, and necessity justification.
Step 3 – Risk Identification: Add each risk to data subjects. For each risk:
- Describe the risk.
- Set Likelihood (1–5) and Severity (1–5) using the sliders.
- The system calculates a risk score (Likelihood x Severity) and classifies it as Low (1–6), Medium (7–14), or High (15–25).
Step 4 – Mitigation Measures: For each identified risk, describe the mitigation measures and toggle whether they have already been applied.
Step 5 – DPO Consultation: Add any DPO consultation notes. From this step you can submit the DPIA for DPO review.
- Click Save Draft at any stage to save your progress, or Submit for Review on Step 5 to send it to the DPO.
DPO approval workflow
- Draft — Being prepared by the author. Can be edited and deleted.
- Awaiting DPO Review — Submitted and waiting for the DPO to approve or reject.
- Approved — DPO has approved the DPIA. The completion date is recorded.
- Rejected — DPO has returned the DPIA with a reason. The author should address the feedback and resubmit.
To approve or reject a DPIA:
- Filter the list to Awaiting Review using the tab.
- Click the Approve (thumbs up) or Reject (thumbs down) icon on the relevant row.
- Add any notes and confirm.
Exporting a DPIA as PDF
Click the PDF icon on any DPIA row. A PDF will download containing the full assessment: screening criteria, processing description, risk table with scores, mitigation measures, and DPO consultation notes.
Tips
- Only Draft DPIAs can be deleted. Approved and rejected DPIAs are retained for compliance records.
- Use the filter tabs to quickly find DPIAs by status.
- Link your DPIA to a Processing Activity for traceability.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article