You’re about to deploy an AI tool that pulls in client records. You’ve heard there might be a data thing to sort out, but you don’t have a DPO on staff and the project has a timeline. The question is whether this deployment needs a data protection impact assessment, and you can answer it yourself. The trigger is specific, and once you know what it is, the call is usually straightforward.
What is a DPIA?
A data protection impact assessment is a document that records what an AI tool does with personal data, what risks that creates for the individuals involved, and what steps you’ve put in place to reduce those risks. Under UK GDPR Article 35, completing a DPIA before deployment is a legal requirement when the processing poses a high risk to people’s rights and freedoms.
For an owner-managed business, a proportionate assessment might run to two or three pages. The ICO’s guidance is clear that the document should be proportionate to the nature and scale of the processing. It must cover the purpose of the AI processing, the personal data flowing through it, the risks to individuals, and the technical and organisational measures you’ve put in place to address those risks.
The DPIA should be revisited if the deployment changes materially. If the AI tool starts ingesting a new data category, or its scope widens, the assessment needs updating before that change goes live.
One important point at the outset. A DPIA belongs before deployment. Completing it after a problem surfaces is too late for it to serve its legal purpose.
Why does this matter for your business?
Failing to complete a DPIA when one is required is a breach of UK GDPR Article 35, separate from any data incident or harm that follows. The ICO’s enforcement powers activate on the absence of the assessment itself. Many delegates find this surprising, having assumed that regulators act on harm rather than on missing documentation.
When a data incident occurs and the ICO investigates, the absence of a DPIA becomes an aggravating factor, one that increases both the likelihood of formal action and its severity. The ICO has pursued enforcement against organisations of all sizes. Treating the threshold for regulatory attention as a size or revenue test is a misconception that has cost businesses their standing before regulators more than once.
There’s also a practical reason to complete the DPIA beyond regulatory exposure. Doing it forces you to look at what the tool actually does with personal data, what risks it creates, and whether the vendor has the data protection commitments you need. Missing data processing agreements, incomplete privacy notice updates, and unverified vendor retention policies all surface during the assessment process. These are far easier to address before deployment than after.
Where will you actually meet the trigger?
Three conditions trigger the DPIA requirement under UK GDPR Article 35. First, the AI tool systematically processes personal data at scale. Second, the tool makes or significantly contributes to automated decisions with legal or similarly significant effects on individuals. Third, the tool handles special-category data, such as health records, biometric data, or racial origin. Any one of the three is sufficient to trigger the obligation.
Worked examples make the line concrete. A law firm using AI to review client matter files containing names, personal circumstances, and confidential client details needs a DPIA. A healthcare practice using AI for clinical documentation that draws on patient records needs a DPIA. An e-commerce business using AI to personalise product recommendations based on purchase history probably needs a DPIA, depending on scale and how the personalisation works. A business using AI to draft a generic newsletter template with no customer or employee data in the prompts does not need a DPIA. The data in that last case simply isn’t personal.
Regulated sectors add a further layer. Solicitors, financial advisers, and clinicians face professional duties that sit alongside GDPR. Feeding client information into a cloud-based AI tool without explicit consent and a data processing agreement in place isn’t only a data protection question. For an SRA-regulated firm, it is a professional conduct question too. The FCA’s guidance on AI in financial services carries the same expectation. So does the GMC’s guidance for clinicians using AI.
When to carry it out yourself, and when to get help
A proportionate DPIA for a straightforward deployment is something a senior operator can work through without a lawyer. The ICO’s DPIA guidance and its AI risk toolkit provide structured questions you can follow directly. For a mid-range deployment with a clear lawful basis and a data processing agreement already in hand, the process typically takes a few hours.
Three signals should prompt you to stop and bring in regulated advice before proceeding.
Special-category data is the first. When health records, biometric data, financial vulnerability information, or any other Article 9 category is in scope, the safeguards required are stricter and the margin for error is narrower. A sector mandate is the second. If you’re regulated by the SRA, the FCA, the GMC, or a comparable body, sector-specific obligations compound the GDPR requirement. A missed step can become a professional conduct matter rather than a data protection question alone. Article 22 automated decision-making is the third. If the AI tool makes or substantially influences decisions about individuals that carry legal or material consequences, the architecture needs to include human oversight and the individual’s right to object. Getting that wrong has consequences beyond the DPIA itself.
The baseline test throughout is simple. Can you clearly document the lawful basis, the risk-reduction measures, and the vendor’s data protection commitments? If any of those three are missing, the DPIA will surface the gap.
What else sits around this decision?
The DPIA sits inside a wider compliance picture that the same deployment decision activates. A data processing agreement with the AI vendor is a separate legal obligation, required before any personal data flows to a cloud-based tool. Updating your privacy notice to disclose that AI processing is taking place applies under UK GDPR Articles 13 and 14 whenever data was collected directly from individuals.
Article 22 operates in parallel if the AI tool makes automated decisions with significant effects on people, with its own requirements around human review and the individual’s right to object. The ICO also expects you to be able to demonstrate accountability by documenting that the risk was assessed, what measures were put in place, and when.
None of this is designed to stop you deploying. The compliance framework exists so that when personal data flows through an AI system, the individuals whose data it is have clarity about what’s happening. For a delegate making a deployment decision, the practical sequence is to check the DPIA trigger, complete the assessment if it applies, verify the vendor DPA and data retention terms, and update the privacy notice. That covers the legal minimum for a clear-eyed rollout in an owner-managed business.
If you want to pressure-test your AI governance picture across the business rather than just for one tool, book a conversation. It’s short, it’s free, and it usually surfaces the things worth sorting before they become problems.
