Practical AI and SaaS for Business

GDPR DPIA AI Systems

Rolling out an AI tool that scores, ranks, or profiles people at scale can trigger a mandatory Data Protection Impact Assessment under GDPR before you ever go live. This guide explains when a DPIA is actually required for an AI system, and what a genuine one covers.

Last verified: 17 July 2026. References checked against current legislation.

Editorial Perspective

You run operations at a 20-person recruitment agency, and you're about to switch on an AI tool that scores every CV against a job spec. The problem isn't whether the tool is good, it's whether you've done the one piece of paperwork GDPR actually requires before a tool like this goes live. This guide explains exactly when a Data Protection Impact Assessment is mandatory, and how to run one without a legal team. No compliance background needed.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

Not every AI tool needs a Data Protection Impact Assessment, but a tool that scores, ranks, or profiles people at any real scale almost always does. A Data Protection Impact Assessment, DPIA, is a structured process for identifying and reducing the data protection risks of a processing activity before it starts, and GDPR makes it mandatory in specific circumstances, not optional best practice.

In short: GDPR Article 35 requires a DPIA before processing that's likely to result in a high risk to people's rights. The European Data Protection Board has set out criteria for judging this, and meeting two or more of them means a DPIA is presumed necessary. An AI tool that profiles or scores people at scale, hiring, credit, insurance, typically meets several of these criteria at once.

The plain-English answer

A DPIA isn't required for every use of AI, a simple internal chatbot that answers staff questions about the holiday policy doesn't need one. What triggers the requirement is the nature of the processing, not the fact that AI is involved at all. The European Data Protection Board (EDPB) has published nine criteria for judging whether processing is likely to be high-risk, things like evaluation or scoring of people, automated decision-making with legal or similarly significant effects, and processing on a large scale. Meeting two or more of these criteria means a DPIA is presumed necessary, and an AI tool that screens job applicants, scores creditworthiness, or profiles customers for pricing typically meets several at once without anyone deliberately designing it that way.

Why this matters for your business

A 20-person recruitment agency running every CV through an AI scoring tool is exactly the kind of business that triggers this requirement, often without realising it. The tool evaluates and ranks real candidates, it operates at the scale of every application the agency receives, and it materially affects whether a candidate even reaches a human. That's evaluation, automated decision-making, and scale, three of the EDPB's nine criteria, in a single ordinary business tool.

Skipping the DPIA isn't just a paperwork gap. If a regulator investigates following a complaint, being unable to show a DPIA was carried out before a high-risk processing activity started is a straightforward finding against the business, independent of whether anything actually went wrong with a candidate's data. The DPIA is evidence that risk was actually considered, not just assumed to be fine because the vendor seemed reputable.

What GDPR actually requires

The requirement comes from GDPR Article 35, which requires a DPIA prior to processing that's "likely to result in a high risk to the rights and freedoms of natural persons," particularly where new technologies are used. The EDPB's nine criteria give practical shape to that test: evaluation or scoring, automated decision-making with legal or similarly significant effect, systematic monitoring, processing of sensitive data, large-scale processing, matching or combining datasets, data concerning vulnerable people, innovative use of technology, and processing that prevents someone from exercising a right or using a service. National regulators, such as France's CNIL, publish practical guidance on applying these criteria and running the assessment itself.

Worth knowing if the AI tool in question also falls under the EU AI Act's high-risk category (see our guide on EU AI Act risk tiers): from August 2026, the Act's Article 26(9) requires deployers of high-risk AI systems to use the information the AI provider supplies under the Act's Article 13 specifically to help satisfy the GDPR DPIA obligation, meaning the two frameworks are designed to work together on exactly this kind of tool, not as two separate compliance exercises.

What this looks like in practice

Picture the operations manager at the recruitment agency, about to switch on an AI CV-scoring tool. The default assumption is that a signed vendor contract covers the compliance side. It doesn't, a vendor agreement addresses the relationship between the agency and the AI provider, not whether the processing itself has been risk-assessed under GDPR.

Running a DPIA before go-live means documenting: what data the tool processes and why, whether the scoring could produce an unfair or discriminatory outcome for any group of candidates, what happens if a candidate disputes a low score, and what safeguards exist, like a human reviewing any rejection the tool drives. This isn't a one-off exercise either, a genuine DPIA gets revisited if the tool's use changes materially, not filed away and forgotten once the tool goes live.

What you can do about it

A practical starting process for a business without a dedicated legal or compliance function:

  • Check the AI tool's use against the EDPB's nine criteria before go-live, not after. Two or more criteria met means treat a DPIA as required.
  • Document what data goes in, what the tool does with it, and what decision or outcome it drives for the person affected.
  • Identify a specific human review step for any negative outcome the tool contributes to, and write down what that step actually involves.
  • Ask the AI vendor directly what information they can provide about how the system works, this feeds directly into the assessment and, for high-risk systems under the EU AI Act, is something the provider is required to supply.
  • Revisit the DPIA if the tool's use changes, not just once at the start.

For the broader question of whether a specific AI tool counts as high-risk under the EU AI Act, which changes what obligations apply on top of the DPIA, see our guide on EU AI Act risk tiers explained.

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Try our free AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice.

Does every AI tool need a DPIA?

No. Only processing that's likely to result in a high risk to people's rights triggers the requirement. A tool that scores, ranks, or profiles people at scale usually meets that bar, an internal tool with no meaningful effect on any individual usually doesn't.

Who is responsible for carrying out the DPIA, us or the AI vendor?

You are, as the data controller deciding to use the tool on your customers' or candidates' data. The vendor can and should provide information about how the system works to support your assessment, but the DPIA itself is your organisation's obligation, not something a vendor completes on your behalf.

What happens if we skip the DPIA and nothing goes wrong with the data?

The obligation exists independent of outcome. If a regulator investigates, whether prompted by a complaint or otherwise, being unable to show a DPIA was carried out before high-risk processing began is a finding against the business regardless of whether any actual harm occurred.

Is a DPIA a one-time document?

No, treat it as a living assessment. If the AI tool's use changes, more data types added, a new use case, a different vendor, revisit the DPIA rather than relying on the original version indefinitely.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

Not sure whether your AI tool counts as high-risk under the EU AI Act, which changes what else applies?

Check the risk tiers