Acta acta.ink
Compliance · 6 min read

3 DPIA Mistakes That Regulators Flag First

Data Protection Impact Assessments for AI systems aren't the same as traditional DPIAs. Here are the gaps regulators look for.

If your organisation uses AI to process personal data, Art. 35 GDPR likely requires a Data Protection Impact Assessment. Many companies have done DPIAs before — for marketing databases, employee monitoring, CCTV systems. But DPIAs for AI systems are a different beast, and most existing assessments miss critical elements.

Here are the three gaps that Data Protection Authorities tend to flag first.

1. Treating the AI provider's DPIA as your own

OpenAI has published data processing documentation. Anthropic has a privacy policy. Google has AI-specific terms. Many organisations point to these documents and say "our DPIA is covered."

It's not.

The provider's documentation covers their processing. Your DPIA needs to assess your use of the AI system: what data your employees input, what categories of data subjects are affected, what the specific risks are in your context, and what mitigations you have in place.

A healthcare company using ChatGPT has a fundamentally different risk profile than a marketing agency using the same tool. The provider's DPIA can't capture that difference — yours must.

What regulators want to see

  • Your specific use cases and data flows
  • Categories of personal data that could enter the system
  • Your assessment of necessity and proportionality
  • Risks specific to your sector and data subjects
  • Mitigations you've implemented (not the provider)

2. No ongoing review mechanism

A DPIA is not a one-time checkbox. Art. 35(11) GDPR explicitly states that the controller shall carry out a review to assess if the processing is performed in accordance with the DPIA "at least when there is a change in the risk represented by processing operations."

With AI tools, the risk changes constantly:

  • Providers update their models (GPT-3.5 → GPT-4 → GPT-4o has different capabilities and risks)
  • Your team finds new use cases (summarising meeting notes → processing customer complaints)
  • New employees start using the tools without the original risk context
  • Data categories shift as adoption grows

Regulators increasingly ask: "When was this DPIA last reviewed? What triggered the review?" If your answer is "we wrote it in 2024 and haven't touched it," that's a finding.

A practical review cadence

  1. Quarterly — review audit logs for new data patterns or use cases
  2. On model change — when a provider updates to a new model version
  3. On scope change — when a new department or use case is added
  4. On incident — any data breach or near-miss involving AI tools

3. Missing the Art. 9 special category risk

The biggest gap in most AI-related DPIAs is the failure to address special category data under Art. 9 GDPR. This includes health data, biometric data, political opinions, religious beliefs, trade union membership, sexual orientation, and racial or ethnic origin.

Most DPIAs say "we don't process special category data through AI tools." But can you prove that? Without monitoring what actually enters the AI system, this is an assumption, not an assessment.

An HR team member pasting an employee's sick leave details into ChatGPT for a summary is processing health data through an AI system. A legal team asking Claude to review a discrimination complaint is potentially processing data about racial origin, political opinions, or religion. These aren't hypothetical — they happen daily in organisations that use AI tools without guardrails.

What a strong DPIA includes

  • Acknowledgement that special category data may enter the AI system
  • Technical controls to detect and flag such data (not just policy prohibitions)
  • Legal basis documentation for any intentional processing
  • Evidence that the controls actually work (audit logs, detection rates)

The bottom line

AI-specific DPIAs aren't just longer versions of your standard templates. They require ongoing review, honest assessment of what data actually flows through the system, and mitigations that go beyond policy documents. The organisations that get ahead of this now will be in a significantly stronger position when enforcement picks up pace.

Disclaimer: This article is for informational purposes and does not constitute legal advice. Consult your Data Protection Officer and qualified legal counsel for guidance specific to your organisation's processing activities.

Related reading

Health Data in AI Prompts: Art. 9 GDPR and the AI Act Collision Art. 26 Deployer Obligations: What the EU AI Act Means for Your Company

See how Acta can help

PII detection, audit logging, policy enforcement, AI literacy insights. One platform for EU AI Act compliance.

Try Acta free

Free extension included · Pay as you go

← All articles