Skip to content
GDPRJuly 4, 20266 min read

When Do You Need a DPIA for AI Tools Under GDPR?

A DPIA is often mandatory for AI processing of personal data — and even when it is not, it is the document that proves you thought about the risk before you rolled the tool out.

A

AIovert Security Team

GDPR & EU AI Act practitioners · Last updated July 4, 2026

The short answer

You need a data protection impact assessment (DPIA) whenever processing personal data with an AI tool is likely to result in a high risk to individuals’ rights and freedoms — for example, large-scale processing, systematic monitoring, or use of special-category data. GDPR Article 35 sets this requirement, and supervisory authorities publish lists of processing that always triggers a DPIA. For many AI deployments involving personal data, a DPIA is either mandatory or strongly advisable as evidence of accountability.

The DPIA documents the processing, assesses the risks, and records the measures — such as a browser data control — you have taken to reduce them.

The Article 35 trigger

A DPIA is required where processing is likely to result in a high risk, particularly when using new technologies. AI tools processing personal data at scale frequently meet this description, especially when the data includes customer records or special categories.

What the DPIA should cover

A systematic description of the processing, an assessment of necessity and proportionality, an assessment of the risks to individuals, and the measures to address those risks. A technical control that prevents sensitive data from entering AI tools is a concrete mitigating measure you can cite — the same control that helps you make AI tools GDPR compliant for your company.

DPIA on the control itself

It is good practice to run a DPIA on any tool you deploy that inspects prompt content. An on-device browser control that never transmits the inspected text simplifies this assessment considerably, because there is no new data flow to a third party to justify. This intersects with your GDPR Article 28 obligations for AI vendors.

Frequently asked questions

Is a DPIA mandatory before rolling out ChatGPT to staff?

It is mandatory where the processing is likely to result in a high risk to individuals. Even where it is not strictly required, conducting one demonstrates accountability under GDPR and is widely regarded as best practice for AI deployments.

Who should carry out the DPIA?

The controller carries out the DPIA, seeking the advice of the data protection officer where one is designated. Input from IT, security, and the business unit using the tool is also valuable.

Does using an on-device DLP tool need its own DPIA?

Assessing it is sensible. An on-device tool that does not transmit inspected content generally presents lower risk, which makes the DPIA straightforward and supports a favourable outcome.

Primary sources

Regulatory dates and requirements can change — verify against the official EU sources above before relying on them. This page is informational and not legal advice.

A mitigating measure your DPIA can cite.

AIovert prevents sensitive data entering AI tools and logs the evidence — a concrete Article 35 control that keeps your own assessment simple. Deploys in 15 minutes.