GDPR Data Protection Impact Assessment (DPIA) Decision Flow

This flowchart illustrates the decision process for determining when a DPIA is required under the GDPR and the subsequent steps to follow.

graph TD
    A["Likely to result in high risks?<br>[art.35(1), (3) & (4)]"] 
    B["Exception?<br>[art.35(5) and (10)]"]
    C["DPIA<br>[art.35(7)]"]
    D["Residual high risks?<br>[art.36(1)]"]
    E["No DPIA needed"]
    F["Prior consultation"]
    G["No prior consultation"]
    H["Processing reviewed<br>by controller<br>[art.35(11)]"]
    I["Advice of the DPO<br>[art.35(2)]<br>Monitor performance<br>[art.39(1)(c)]"]
    J["Code(s) of conduct<br>[art.35(8)]"]
    K["Seek the views of<br>data subjects<br>[art.35(9)]"]

    A -->|No| E
    A -->|Yes| B
    B -->|Yes| E
    B -->|No| C
    C --> D
    D -->|Yes| F
    D -->|No| G
    C --> H
    
    I -.-> C
    J -.-> C
    K -.-> C

Key Decision Points

Initial Risk Assessment [art.35(1), (3) & (4)]
Exception Evaluation [art.35(5) and (10)]
DPIA Process [art.35(7)]
Residual Risk Assessment [art.36(1)]

Supporting Elements

DPO Advice and Performance Monitoring
Codes of Conduct
Data Subject Consultation
Controller Review Process