conducting-gdpr-dpia

Installation
SKILL.md

Conducting GDPR Data Protection Impact Assessment

Overview

A Data Protection Impact Assessment (DPIA) is a structured process mandated by Article 35 of the GDPR to identify, assess, and mitigate risks to the rights and freedoms of natural persons arising from data processing operations. The DPIA is not merely a compliance checkbox but a living risk management instrument that must be conducted before processing begins and updated throughout the processing lifecycle. This skill implements the methodology recommended by the European Data Protection Board in WP248rev.01 (Guidelines on Data Protection Impact Assessment) and incorporates enforceable requirements from Art. 35(1)-(11).

Mandatory DPIA Triggers — Art. 35(3)

A DPIA is required when processing is likely to result in a high risk to the rights and freedoms of natural persons, particularly in these cases:

Automatic Triggers Under Art. 35(3)

Trigger GDPR Reference Description
Systematic and extensive profiling with significant effects Art. 35(3)(a) Automated processing including profiling that produces legal effects or similarly significant effects on the data subject
Large-scale special category or criminal data Art. 35(3)(b) Processing on a large scale of data under Art. 9(1) (health, biometric, genetic, racial, political, religious, sexual orientation, trade union) or Art. 10 (criminal convictions)
Systematic large-scale monitoring of public areas Art. 35(3)(c) CCTV surveillance, drone monitoring, Wi-Fi tracking, or other systematic monitoring of publicly accessible areas on a large scale

EDPB WP248rev.01 Criteria — Two or More Triggers Require a DPIA

Installs
9
GitHub Stars
187
First Seen
Jun 9, 2026
conducting-gdpr-dpia — mukul975/privacy-data-protection-skills