Irish DPC Issued Draft List of Types of Data Processing Operations Which Require A DPIA

The Irish Data Protection Commission (DPC) has prepared a draft list of processing operations for which it considered mandatory to conduct a DPIA as well as factors which will lead to high risk. The controller has the obligation to conduct such assessment when its activity falls under the list. DPC guidance on steps to conduct DPIA is available online.


This list of processing operations is intended to cover both national and cross-border data processing and must be approved by the European Data Protection Board (EDPB) where the processing involves individuals in several member states or may substantially affect the free movement of data within EU. Currently, DPC website is still citing to the WP29 “high risk” list. OneTrust has published an article on this topic.

For additional details on the basis for this list see:

Key points

While conducting a DPIA is highly recommended by DPAs and mandatory when processing activities may bring high risk to individual’s rights and freedoms, there are underlying burdens on businesses. The variation in DPA high risk factors may result in complexity for businesses with processing across several member states. This works against the harmonization that the GDPR sought to provide.

DPIAs for any processing activity

High-risk factors


It is important to know when it is necessary to carry out a full DPIA and how to identify those activities with high risks. OneTrust automated assessments can help. OneTrust automated assessments make it simple to perform prescreening or preliminary risk assessments as well as capturing the full range of required details should a full DPIA be required.