Free Tool

DPIA Necessity Checker

Find out whether your AI data processing legally requires a Data Protection Impact Assessment under UK GDPR Article 35 — in under 3 minutes.

8 questions Based on ICO guidance No email required

Question 1 of 8

Question 1 of 8

Does the processing involve systematic and extensive profiling or automated decision-making that produces legal or similarly significant effects on individuals?

This includes credit scoring, loan decisions, insurance pricing, or content personalisation that significantly affects access to services.

Question 2 of 8

Does the processing involve large-scale processing of special category data (health, biometric, genetic, religious beliefs, sexual orientation, ethnicity, criminal records)?

Large-scale typically means more than a few hundred individuals, or systematic processing even of smaller numbers.

Question 3 of 8

Does the processing involve systematic monitoring of publicly accessible areas (e.g. CCTV, location tracking, online behaviour monitoring)?

Includes monitoring employees, tracking website behaviour at scale, or monitoring public spaces.

Question 4 of 8

Is the processing on a large scale (many individuals, large volume of data, or wide geographic spread)?

ICO guidance suggests more than ~1,000 individuals routinely, or any processing that is a core activity of your business.

Question 5 of 8

Does the processing combine or match datasets in ways the individuals would not reasonably expect?

For example, cross-referencing CRM data with social media profiles, or enriching client data with third-party sources.

Question 6 of 8

Does the processing involve innovative technology or novel use of existing technology?

AI tools, machine learning, facial recognition, voice analysis, or any technology where the privacy risks are not yet fully understood.

Question 7 of 8

Does the processing prevent individuals from accessing a service, contract, or opportunity (data used to exclude or restrict)?

Any process where the output could result in someone being denied something — a job, loan, service, or benefit.

Question 8 of 8

Are the data subjects in a vulnerable position relative to the data controller (employees, children, patients, benefit claimants)?

Power imbalances increase the need for a DPIA — individuals who cannot easily refuse or withdraw.