DPIA (Data Protection Impact Assessment) — in German, DSFA (Datenschutz-Folgenabschaetzung) — is a formal procedure under GDPR Art. 35 for assessing the risks of a planned data processing operation to the rights and freedoms of data subjects. A DPIA is mandatory when processing is likely to result in a high risk.
Typical triggers include profiling, automated decision-making, large-scale processing of special categories of personal data, or systematic video surveillance. The DPIA documents the processing purpose, necessity, risks, and planned remedial measures. If a high residual risk remains after all measures, the supervisory authority must be consulted (Art. 36). Within an ISMS, the DPIA can be effectively combined with the risk assessment per ISO 27005.