Do I Need a DPIA for My AI System? (Almost Certainly Yes)

Probably yes. And I say "probably" not because the answer is uncertain — it's because every AI system I've assessed has needed one. The exceptions are rare enough that you should assume you need it and be pleasantly surprised if you don't.

GDPR Article 35 says a DPIA is mandatory when processing is "likely to result in a high risk to the rights and freedoms of natural persons." It then lists the kinds of processing that qualify. AI systems hit multiple triggers at once.

Why AI almost always triggers the requirement

The regulation calls out several high-risk indicators. AI systems don't just match one — they typically match three or four simultaneously:

New technologies. AI qualifies. The European Data Protection Board guidelines specifically identify novel technology as a DPIA trigger. If you deployed an AI system in the last two years, you're using new technology by any reasonable definition.

Automated decision-making with significant effects. If your AI influences decisions about people — credit applications, fraud flags, insurance pricing, recruitment screening, content moderation — that's automated decision-making under Article 22. If those decisions meaningfully affect someone's life, a DPIA is required.

Large-scale processing. A chatbot handling thousands of customer conversations per day processes personal data at scale. A recommendation engine tracking user behaviour across your platform does the same. Scale isn't just about volume — it's also about the breadth of data processed and the geographic scope.

Systematic monitoring. If your AI tracks, profiles, or monitors individuals — behavioural analytics, usage patterns, location tracking — that's systematic monitoring.

Most AI systems I see match at least two of these. A customer service chatbot matches new technology + large-scale processing. A fraud detection system matches all four.

What a DPIA for AI actually needs to cover

This is where generic DPIA templates fail. They were written for databases and CRM systems, not for AI architectures where data flows through external APIs, gets processed by models you don't control, and produces outputs that affect people's lives.

A proper AI DPIA needs to address:

The data flows — all of them. Not just "we collect customer data." Map every hop. Customer sends a message → your application receives it → you call the OpenAI API → data goes to US servers → response comes back → conversation is logged → logs are stored in your database. Every hop is a processing activity. Every hop needs documentation.

The AI provider relationship. If you use ChatGPT, Claude, or any external LLM, you're sending personal data to a third-party processor. Your DPIA needs to document: who the provider is, where their servers are, what they do with your data (do they retain it? use it for training?), and what safeguards are in place. You need a Data Processing Agreement with them. Most major providers offer one — the issue is usually that nobody at the company has actually signed it.

Cross-border transfers. Every API call to OpenAI goes to the US. That's a transfer of personal data outside the UK/EEA. You need a lawful transfer mechanism — typically Standard Contractual Clauses. Your DPIA needs to document the mechanism and assess whether it's adequate. The ICO has specific guidance on this.

What decisions the AI makes, and whether humans can override them. If the AI decides things — even if a human technically approves — you need to document the decision logic, explain it in meaningful terms, and show that human oversight is genuine, not rubber-stamping.

Data minimisation. Are you sending more data to the AI than you need to? If your chatbot only needs the customer's question to generate a response, why are you also sending their account number, email address, and purchase history? Redact what you don't need before it hits the API.

Retention. How long do you keep conversation logs? Interaction records? AI outputs? "Forever" is not a retention policy. Set a period, document the justification, and actually delete when the period expires.

Training data. If you fine-tuned a model on personal data, or if you're using a RAG system that indexes customer documents, that's processing. The DPIA needs to cover the lawful basis for training use and address the practical reality that data embedded in model weights can't easily be deleted.

What happens if you don't do one

The ICO can fine you up to £8.7 million or 2% of global annual turnover for failing to conduct a required DPIA. That's the stick.

But the more practical risk is this: without a DPIA, you genuinely don't know whether your AI system is processing data lawfully. You're operating blind. When something goes wrong — a breach, a complaint, a regulator inquiry — you have no documentation to show that you assessed the risks and took reasonable steps to mitigate them.

I've seen companies spend more money fixing a compliance failure after the fact than a DPIA would have cost upfront. It's not close. The DPIA is cheaper, less stressful, and produces documentation you'll use for years.

The Nigerian angle

If you're processing data of Nigerian residents, the NDPA has its own DPIA requirements. They're similar to GDPR but with Nigerian enforcement context. If you're a Nigerian fintech using AI, you likely need a DPIA under both the NDPA and (if you serve EU/UK customers) GDPR. One well-written DPIA can cover both frameworks — document the assessment against both sets of criteria.

How to actually do this

Start with the ICO's DPIA template. It's a reasonable starting point, but you'll need to extend it significantly for AI.

Map every data flow before you start writing. Talk to your developers — they know where the data actually goes, which is often different from where the documentation says it goes.

Do the DPIA before deployment. Retrofitting compliance onto a live system is always more expensive and more disruptive than building it in from the start. I've done both. Building it in is better in every way.

Review and update when the system changes. Switched AI providers? Update the DPIA. Added a new data source? Update the DPIA. Changed the retention policy? Update the DPIA. It's a living document, not a one-off filing.

If you're not confident doing this internally, that's normal. AI DPIAs sit at the intersection of data protection law, AI architecture, and risk management. Most organisations don't have someone who covers all three.

---

Need to know whether your AI system really needs a DPIA? Start with a £500 scoping review — we’ll tell you exactly what documentation the system needs and why. If you want to see the shape of the work first, review our sample DPIA structure.