← Back to glossary
Glossary

DPIA (Data Protection Impact Assessment)

Risk assessment under Art. 35 GDPR. Mandatory for high-risk processing (e.g. systematic call recording). Structured risk and mitigation analysis before go-live.

A Data Protection Impact Assessment (DPIA) is mandatory under Art. 35 GDPR whenever a processing activity is "likely to result in a high risk to the rights and freedoms of natural persons". AI-driven voice processing with recording and automated tagging routinely falls in that bracket — even at SMB scale.

A defensible DPIA documents at minimum: purpose and necessity of the processing, categories of data subjects, data types, sub-processors, retention period, risks (re-identification, profiling, data breach), and concrete technical and organisational countermeasures.

Templates from supervisory authorities (BayLDA, ICO, CNIL) work as a baseline scaffold but do not replace the organisation-specific assessment. Results must be kept under version control and updated whenever the processing materially changes (new use case, new vendor).

FAQ
Who writes the DPIA — vendor or customer?
The legal duty sits with the controller (the customer). The vendor supports with technical documentation, a TOM list, a sub-processor map and a standard risk analysis, but does not own the DPIA itself.
Related terms
Go deeper in the docs
See it applied

Next step

See BHOMY in a 15-minute demo on a real call example.

Request demoBack to glossary
🍪

Cookies & Privacy

We use cookies to provide you with the best possible experience on our website. Some of them are technically necessary, others help us improve the website.

Read Privacy Policy