A DPIA is a structured risk assessment, required by GDPR Article 35, conducted before high-risk processing begins. "High risk" includes large-scale profiling, systematic monitoring of public areas, processing of special category data at scale, automated decision-making with legal effects, and processing involving new technologies — a list that increasingly captures most modern AI projects.
A DPIA must describe the processing operations and their purposes, assess the necessity and proportionality, identify the risks to data subjects' rights and freedoms, and document the measures put in place to mitigate those risks. If, after mitigation, residual risk remains high, the controller must consult the supervisory authority before going live.
DPIAs are the most common point at which AI projects encounter the GDPR. Any AI system that profiles individuals, makes automated decisions with significant effects, or processes special category data at scale will typically require one. A well-run DPIA is not a formality — it is the document that forces hard questions about data minimization, model design, retention, and oversight to be answered before the system is built rather than after a regulator asks.