< Glossary
 /  
Legal

Data Protection Commission (DPC)

/ˈdeɪtə prəˈtɛkʃən kəˈmɪʃən/

The Data Protection Commission (DPC) is the independent Irish authority responsible for upholding data protection rights and enforcing GDPR compliance across Ireland.

Table of Contents
Example H2
Example H3
Example H4
Example H5
Example H6

Get Your
Irish Company
Today

From €99 including government fees.

5-day setup
Government fees included
Legal documents included
Free automated compliance tracking
Free legal data room
Ongoing legal support
Pricing
Share:

What is a Data Protection Impact Assessment (DPIA) exactly?

‍A Data Protection Impact Assessment, commonly referred to as a DPIA, is a formal process that organisations must carry out before engaging in any type of data processing that is likely to result in a high risk to the rights and freedoms of individuals. Required under Article 35 of the GDPR, a DPIA is designed to help you systematically identify, assess, and mitigate data protection risks before the processing begins, rather than trying to fix problems after they arise.

‍The purpose of a DPIA is not merely to tick a compliance box. It is a practical tool that forces you to think carefully about what personal data you are collecting, why you need it, how you will protect it, and whether the processing is proportionate to the purpose. For Irish startups building products that handle customer data, employee data, or any form of personal information at scale, conducting a DPIA early in the development process can prevent costly redesigns and regulatory issues later.

‍The Data Protection Commission expects organisations to integrate DPIAs into their standard project management and product development workflows. This means that whenever your business plans a new system, product feature, or data processing activity that could affect individuals' privacy, a DPIA should be one of the first steps in the planning process, well before any data is actually collected or processed.

When is a DPIA required?

‍A DPIA is mandatory when the processing is likely to result in a high risk to individuals. The GDPR lists several scenarios where a DPIA is required, including systematic and extensive profiling that produces legal effects, large-scale processing of special category data (such as health or biometric data), and systematic monitoring of publicly accessible areas. The Data Protection Commission has also published a list of processing activities that require a DPIA in the Irish context.

‍Beyond these specific triggers, a good rule of thumb is to conduct a DPIA whenever you plan to use new technologies, process data on a large scale, combine datasets from different sources, or target vulnerable individuals such as children or employees. If in doubt, it is safer to carry out a DPIA than to skip it, as the cost of conducting one is minimal compared to the potential consequences of non-compliance.

What must a DPIA contain?

‍A DPIA must include a systematic description of the proposed processing operations and their purposes, an assessment of the necessity and proportionality of the processing, an evaluation of the risks to individuals' rights and freedoms, and the measures you plan to implement to address those risks. The assessment should consider both the likelihood and severity of potential harm, ranging from minor inconvenience to serious discrimination or financial loss.

‍The description of the processing should cover the types of personal data involved, the categories of data subjects, the legal basis for processing, the data retention period, and any cross-border transfers. The risk assessment should identify specific threats such as unauthorised access, data loss, or misuse, and the mitigation measures should explain how you will reduce each risk to an acceptable level, through technical measures like encryption, organisational measures like staff training, or process controls like access restrictions.

Where would I first see Data Protection Impact Assessment (DPIA)?

You will most likely encounter a DPIA when launching a new product feature that collects personal data at scale or when your legal adviser reviews your data processing activities for GDPR compliance.

The role of the Data Protection Officer

‍If your organisation has appointed a Data Protection Officer (DPO), they must be consulted during the DPIA process. The DPO can provide guidance on the methodology, help identify risks, and advise on appropriate mitigation measures. Even if your startup has not appointed a DPO, it is good practice to involve someone with data protection expertise in the assessment to ensure it is thorough and credible.

‍The person responsible for the processing activity, typically the product manager or project lead, should own the DPIA and coordinate input from technical, legal, and operational stakeholders. This collaborative approach ensures that all aspects of the processing are considered and that the mitigation measures are practical and implementable.

Consulting the Data Protection Commission

‍If, after completing the DPIA, you determine that the processing would still result in a high risk that cannot be sufficiently mitigated, you are required to consult the Data Protection Commission before proceeding. This prior consultation process allows the DPC to review your assessment and provide recommendations or, in some cases, order you to change or stop the processing.

‍Prior consultation is a last resort and indicates that the residual risk is too high for the organisation to manage alone. In practice, most businesses should aim to design their processing activities so that risks are reduced to an acceptable level through the DPIA process itself, avoiding the need for formal consultation. If you find yourself unable to mitigate the risks, it may be a signal that the processing activity needs to be redesigned fundamentally.

Integrating DPIAs into your workflow

‍For Irish startups, the most effective approach is to embed DPIAs into your existing product development and project management processes. Create a screening checklist that project leads complete at the start of any initiative involving personal data. If the screening indicates a potential high risk, trigger a full DPIA before development begins. This prevents delays later in the process and ensures that privacy considerations are baked into your products from the design stage.

‍Maintain a register of all DPIAs conducted, including the outcomes and any follow-up actions. This register serves as evidence of your corporate compliance efforts and can be presented to the Data Protection Commission if your processing activities are ever audited. Review completed DPIAs periodically, especially when the scope of processing changes, new data processors are engaged, or relevant laws are updated.

Consequences of failing to conduct a DPIA

‍Failing to carry out a DPIA when one is required is a direct violation of the GDPR and can result in administrative fines of up to €10 million or 2% of global annual turnover. Beyond the financial penalty, the absence of a DPIA can indicate broader compliance weaknesses that the Data Protection Commission may investigate further. During due diligence, investors and acquirers will often ask to see evidence of completed DPIAs as part of their assessment of your company's data governance maturity.

‍For founders, the practical lesson is clear: conducting a DPIA is far less costly than dealing with the consequences of not conducting one. By making it a standard part of your GDPR compliance framework, you protect your business, your customers, and your reputation in the Irish market and beyond.

People Also Asked:
Loan Agreement
Prepayments
Investment Agreement
Directors' Compliance Statement
Close Company
Accrual Accounting
Injunction
Private Company Limited by Shares (LTD)
Company Officer
Participating Preference
Series B Funding
Form B73
Company Documentation
Due Diligence
Public Limited Company (PLC)
Liability
Patent Box
Annual General Meeting (AGM)
Data Room
Discount Rate
Register Now
Chat with us