search Where Thought Leaders go for Growth

EIPD: how to automate the GDPR impact assessment

EIPD: how to automate the GDPR impact assessment

By Anaraya Albornoz

Published: April 30, 2025

The EIPD or impact assessment is one of the new features of the GDPR. Have you identified a data protection risk in your company? Find out what you need to do for each of the processing operations concerned.

The impact assessment, also known as PIA - Privacy Impact Assessment - consists in carrying out a comprehensive study with the aim of assessing the impact of one or more data processing operations on privacy.

Learn the key concepts for GDPR compliance and discover the best solutions to be in compliance.

What is a PIA?

The DPA or Data Protection Impact Assessment is one of the provisions of the new European Data Protection Framework or GDPR (European Data Protection Regulation).

The DPA must describe the processing and its purpose, estimate the validity of the processing according to the purpose, identify the risks and detail the actions to manage these risks.

"Conducting an impact analysis is highly recommended by the authorities and should be initiated before data processing is put in place."

However, the GDPR impact assessment must be maintained and updated throughout the entire processing lifecycle.

Why perform a GDPR impact assessment?

An impact assessment is the best way to verify and check the compliance of a processing operation and to prevent a risk related to the loss or exposure of processed data.

Conducting a risk assessment allows data controllers to:

  • Determine the cause of a risk and estimate the likelihood of it materializing;

  • Improve data processing so that the rights of individuals are respected;

  • Gather the technical and organizational conditions necessary for the respect of the regulation;

  • Prove risk management to the authorities.

Although the GDPR impact assessment is recommended for all companies that collect and manage data, in many cases the EIPD is mandatory and non-compliance with this provision is a serious infringement.

Article 35 GDPR: when is an impact assessment mandatory?

"It establishes that in the likelihood that a processing "involves a high risk to the rights and freedoms of natural persons" it will be necessary to carry out a DPOI before the implementation of the processing. This obligation is aligned with the privacy principle that aims to analyze a processing operation from its design phase and ensure adequate risk management, in addition to complying with the principles of necessity and proportionality."

Article 35, paragraph 3: processing operations likely to involve high risk

Automated profiling

a) "systematic and comprehensive evaluation of personal aspects of natural persons that is based on automated processing, such as profiling, and on the basis of which decisions are made that produce legal effects for natural persons or significantly affect them in a similar way";

Large-scale processing

b) "large-scale processing of the special categories of data referred to in Article 9(1) or of personal data relating to convictions and criminal offences referred to in Article 10",

Refers to the processing of sensitive data (genetic data, health-related data, racial and ethnic origin data, personal data relating to criminal convictions and offenses, etc.).

Use of invasive technologies

c) "large-scale systematic observation of a publicly accessible area".

Video surveillance, drones, biometric data.

Other processing operations that require an EIPD

  • Data of children under fourteen years of age;

  • Data transfers, especially if it is an international transfer to a country that is not part of the European Economic Area;

  • Non-dissociated or non-anonymized personal data;

  • Any processing involving the collection of highly sensitive data;

  • Any processing involving significant data collection;

  • Cross-referencing of data, modification of the information processed or of the purpose of the processing;

  • Processing of vulnerable persons (patients, elderly, children, etc.).

EIPD example: processing requiring an evaluation

A company implements an advertising processing with the aim of collecting the geolocation data of millions of individuals in order to create advertising profiles and show them personalized advertising based on their geographical position. This processing falls into the category of large-scale processing of sensitive data (geolocation). A data protection impact assessment is necessary.

Who is involved in carrying out the DPA?

The advice of the DPO in carrying out the DPA will be essential to avoid risks.

It is the controller who has the obligation to ensure compliance with the GDPR.

If a DPO (Data Protection Officer) has been appointed, he/she must advise the controller and verify the execution of the impact assessment.

If a subcontractor is involved in the processing, it must provide its assistance as well as the information necessary to carry out the PIA .

To do or not to do the EIPD? → The AEPD and the Risk Analysis are the answer.

Still not clear if any of your company's operations require an impact assessment? No problem! Once you've performed the RGPD risk analysis you won't have any doubts left.

If you don't know what a risk analysis is or how to perform it, you can take a look at our article on GDPR risk analysis.

The purpose of this exercise, which is mandatory, is to determine the existence of circumstances that subsequently require a GDPR impact assessment.

Content of the GDPR impact assessment

The EIPD guide of the Spanish Data Protection Agency shows in detail the methodology to be followed to prepare an EIPD in accordance with the requirements of the RGPD.

The assessment is divided into 3 main stages:

  • Description (from data capture to data destruction) and context of the processing (lawfulness, necessity and proportionality);

  • Identification, assessment and risk management;

  • Conclusion (action plan) and validation (favorable or unfavorable conclusion).

The AEPD also recommends that the action plan should include:

  • description of the control measures,

  • responsible for implementation,

  • implementation deadline.

It should also be indicated whether the EIPD has been carried out on a new processing operation or on an existing processing operation.

  1. In the 1st case, the action plan will be implemented before the start of the processing, this principle is known as data protection by design.

  2. In the 2nd case, the controller must set a deadline for implementing the action plan on the ongoing processing. If this time is not respected and the risk is not acceptable, the controller can, and must, request that the processing be stopped.

Article 36 RGPD: consultation of the AEPD?

"The controller shall consult the Supervisory Authority prior to processing where a data protection impact assessment pursuant to Article 35 shows that the processing would entail a high risk if the controller does not take measures to mitigate the risk."

If the conclusion of the EIPD includes a high risk, the data controller may resort to additional control measures to reduce the risk to an acceptable level. However, if it is not possible to reduce the risk, the processing cannot be carried out and the controller is obliged to consult the supervisory authority.

Ideally, the supervisory authority will define the conditions and control measures to enable the processing to be carried out. However, if this is the case, the supervisory authority may also indicate that the processing may not be carried out under any circumstances.

The data protection impact assessment is a thorough, complete and exhaustive process in which all aspects of the processing are evaluated: from beginning to end, taking into account all variables. Fortunately, high-performance tools are now available to automate and optimize business processes and legal obligations.

Data Protection Impact Assessment Tools: 2 examples

Data Privacy Solution

Data Privacy Solution is a 100% Spanish solution for data protection under the RGPD and LOPDGDD. The tool has been designed for all types of companies and consultants.

How does Data Privacy Solution help with the EIPD?

Data Privacy Solution allows the generation and management of EIPD by multiple users, including the DPO for review. Thanks to the SaaS model, the DPO and all users have access from anywhere and at any time.

This RGPD software indicates whether for a data processing, the risk analysis is sufficient, or requires the EIPD to be performed. Moreover, even if only the risk analysis is required, the user can choose to also perform the risk treatment or even the entire EIPD.

Both the risk analysis and the EIPD are based on the guidelines and good practices of the AEPD (Spanish Data Protection Agency).

Privacy lawyers and information security engineers are responsible for the creation of the complete tool.

Smart GDPR

The online solution (SaaS) Smart GDPR meets all the requirements of the European regulation.

30 years of experience in data protection, information security and privacy support the legitimacy of Smart GDPR as one of the best GDPR solutions.

To date, Smart GDPR brings together all the resources needed for GDPR compliance on a single platform!

How to do an impact assessment with Smart GDPR?

Smart GDPR offers a module that facilitates GDPR risk assessment Module one is entirely dedicated to:

  • Audits.

  • Risk analysis.

  • Impact assessment (PIA).

  • Semi-automated action plans.

  • Project management.

The module has 1460 treatment checkpoints executed by an algorithm. Consequently, the time savings are considerable and the results are accurate. Smart GDPR performs in one hour what would normally take about five.

The action plan is automatically generated (based on the responses) accompanied by a detailed list of control measures to be implemented.

Each response is automatically assigned a score. In the event of a score below the average, the response must be systematically reviewed by the data controller or the DPO. You can also indicate whether you wish to review all responses.

The Smart GDPR +: covers a financial risk of up to 90 million euros in case of any failure on your part.

Automation of the evaluation process

Digital tools, data protection legislations and business processes are constantly evolving, implementing a SaaS solution will allow you to keep up with your obligations.

Article translated from Spanish