DPIA for AI
aka Data Protection Impact Assessment for AI, AI DPIA, Article 35 DPIA
A documented assessment under GDPR Article 35 that an Irish controller must complete before deploying an AI tool likely to result in high risk to data subjects. The DPC treats most AI deployments as triggering this obligation.
Last reviewed May 2026
Definition
GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) whenever a controller plans processing that is 'likely to result in a high risk to the rights and freedoms of natural persons', and the regulation specifically lists three triggers that catch most AI deployments: systematic and extensive automated evaluation, large-scale processing of special category data, and systematic monitoring. The Data Protection Commission publishes a List of Processing Operations Requiring a DPIA which includes use of AI, machine learning, and deep learning techniques where personal data is involved, and where decisions or profiles affect individuals. For an Irish SME, a DPIA for AI is not a five-page checklist - it is a structured document that names the AI system and vendor, describes the processing purpose and lawful basis, lists data categories and subjects, identifies risks to those subjects (re-identification, model bias, data leakage into model training, cross-border transfer under Schrems II, automated decision under Article 22), and documents mitigations (enterprise tier with DPA, EU data residency where available, prompt hygiene policy, human review of AI output, opt-out from model training). The DPO or appointed responsible person signs it off. The DPIA must be reviewed when the AI system, vendor, or use case changes - upgrading to a new model version or expanding to a new department typically requires a refresh, not a full rewrite. Failure to complete a required DPIA is a standalone GDPR infringement under Article 83(4) with administrative fines up to EUR 10 million or 2% of worldwide annual turnover.
Why it matters for software choice
An Irish controller deploying AI without a documented DPIA is exposed twice: to the risk the AI tool causes (data subject complaints, breaches, regulatory action) and to the standalone procedural breach of skipping Article 35. The DPC has issued multi-million-euro fines on procedural Article 35 failings alone. The DPIA is cheap insurance and the artefact regulators ask for first.
Authority sources
- Data Protection Commission - Data Protection Impact Assessments (www.dataprotection.ie)
- GDPR Article 35 - Data protection impact assessment (gdpr-info.eu)
Software categories this affects
Vendors covered by this term
ChatGPT Enterprise
OpenAI's enterprise AI assistant with advanced reasoning, data analysis, and custom GPTs
Claude for Business
Anthropic's AI assistant with strong safety focus, long context handling, and business-grade data privacy
Microsoft Copilot
AI assistant integrated into Microsoft 365, with EU data boundary for European customers
Gemini Business
Google's AI assistant integrated with Google Workspace, with EU data processing for European customers
Related terms
Data Protection Commission
Ireland's national data protection authority. Lead supervisory authority for many large US tech companies headquartered in Dublin under the GDPR's one-stop-shop mechanism.
Data Processing Agreement
Mandatory contract under GDPR Article 28 between a data controller and a data processor. Sets out subject matter, duration, processing purposes, and required security measures.
DPC Guidance on AI
Published positions from Ireland's Data Protection Commission on how AI and large language models interact with GDPR. The closest thing to an official Irish AI rulebook for SMEs.
Schrems II Data Transfer
The 2020 Court of Justice ruling that struck down Privacy Shield and forced Irish controllers to assess US surveillance risk before sending personal data to US-hosted AI tools, even with Standard Contractual Clauses in place.
GDPR Article 22
The GDPR provision that gives data subjects a right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Constrains how Irish employers and lenders can use AI to make decisions.