Do You Actually Need a DPIA? The Official "2-out-of-10" Rule Explained
Stop guessing and start shipping. Use the official EDPB criteria to definitively decide if your project needs a Data Protection Impact Assessment.
TL;DR
- The Rule: If your project matches 2 or more of the 10 official criteria, a DPIA is mandatory.
- The Source: This rule comes from the WP248 guidelines, fully endorsed by the European Data Protection Board (EDPB).
The Promise: After reading this post (approx. 4 minutes), you will be able to score your project against the official criteria and decide if you need to pause for compliance or if you can proceed immediately.
Who this is for: Product Managers and Founders who need to know if their new feature triggers GDPR requirements.
The "2-out-of-10" Rule determines your compliance obligation
Many teams waste weeks on compliance assessments they don't need, while others skip them and invite massive fines. The decision isn't a guess though; it is a calculated score.
The Article 29 Working Party (the precursor to the EDPB) established the WP248 guidelines. When the EDPB took over in 2018, they fully endorsed these guidelines. They provide a precise framework for determining when a Data Protection Impact Assessment (DPIA) is required.
The framework relies on 10 specific criteria. The rule for application is simple:
- 0 Criteria Matched: DPIA is fully optional. (Proceed with standard security measures).
- 1 Criteria Matched: DPIA is recommended, but not strictly mandatory. (You should document why you chose not to do one).
- 2+ Criteria Matched: DPIA is mandatory. You must assess risks before executing the project.
The Checklist: Score Your Project
Do not answer these generally for your company. Answer them strictly for the specific project or feature you are building. While criteria have offer a clear overview and decision rule, they can be hard to evaluate for somebody without previous experience. We offer a tool where our special AI workflow can help you determine which criteria apply in your case.
Copy this checklist to your internal documentation.
The 10 WP248 / EDPB DPIA Criteria
| # | Criterion | Applies? | Explanation |
|---|---|---|---|
| 1 | Evaluation or Scoring | ☐ Yes ☐ No | Profiling, predicting behaviour, or scoring individuals (e.g. credit checks, risk scores). |
| 2 | Automated Decision-Making | ☐ Yes ☐ No | Decisions with legal or similarly significant effects made without meaningful human involvement. |
| 3 | Systematic Monitoring | ☐ Yes ☐ No | Ongoing or repeated observation or tracking of individuals (e.g. surveillance, usage tracking). |
| 4 | Sensitive / Highly Personal Data | ☐ Yes ☐ No | Processing special categories of data or highly personal information. |
| 5 | Large-Scale Processing | ☐ Yes ☐ No | Large number of data subjects, large data volumes, or wide geographic scope. |
| 6 | Matching or Combining Datasets | ☐ Yes ☐ No | Combining datasets in ways data subjects would not reasonably expect. |
| 7 | Vulnerable Data Subjects | ☐ Yes ☐ No | Presence of a power imbalance (e.g. children, employees, patients). |
| 8 | Innovative Use / New Technology | ☐ Yes ☐ No | Use of new or untested technologies (e.g. AI, LLMs, IoT). |
| 9 | International Transfers | ☐ Yes ☐ No | Transfers of personal data outside the EU/EEA without adequate protection. |
| 10 | Preventing Rights or Access | ☐ Yes ☐ No | Processing that limits the ability to exercise rights or access a service. |
Your score: ___ / 10
(2+ = DPIA required · 1 = DPIA recommended · 0 = DPIA optional)
Worked Example: The "Smart Recruiting" Feature
Let's apply the rule to a hypothetical feature to see how the score stacks up.
Scenario: A SaaS HR platform is launching a new feature that uses AI to summarize candidate resumes and suggest a "cultural fit score" based on their LinkedIn profiles.
The Analysis:
- Evaluation or Scoring: YES. (Creating a "cultural fit score").
- Automated Decision Making: NO. (A human still hires).
- Sensitive Data: NO. (Resumes are personal, but usually not "special category" like health data).
- Matching Datasets: YES. (Combining Resume data + LinkedIn data).
- Innovative Use: YES. (Using AI/LLMs for summarization).
Total Score: 3/10
Verdict: DPIA is Mandatory. Because they hit 3 criteria (Scoring, Matching Datasets, Innovative Tech), they cannot launch this feature without a DPIA.
Pro Tip: If they removed the "Cultural Fit Score" and simply summarized the text, they might drop the "Evaluation" criteria. If they stopped scraping LinkedIn and only used the uploaded PDF, they drop "Matching Datasets." This would bring them to 1/10 (Innovative Use only), making the DPIA optional.
How to execute this quickly
If you are on the borderline (1 or 2 criteria) or simply want a paper trail to prove to your investors and auditors that you checked, you don't need to hire a consultant yet.
1. The Screening Tool (Free)
We offer an AI-guided screening flow. It asks you questions about your project until it has enough information to calculate the score.
- Benefit: It will advise you on how to adjust your feature to stay in "No DPIA" territory if you are on the edge.
- Output: You get a document stating the analysis and the "No DPIA needed" decision for your records.
- Time: 5–10 minutes.
- Start Screening Here
2. The AI DPIA Generator
If you score 2+ and must do the DPIA, do not do it manually. Our AI agent can draft the full legal analysis, risk mitigation strategies, and documentation required by the GDPR. You will still need DPO review per legal requirements.
Get unblocked on simple cases - here is a simple memo we recommend when you are confident that you don't need DPIA. If you find some parts hard to decide, get help from our analysis at dpia.covenance.ai/screening
Internal Memo: What to tell your DPO/Legal
Copy and paste this to your internal messaging system to unblock your project.
Subject: DPIA Determination for [Project Name]
Hi [Name],
Regarding the upcoming release of [Project Name], I have performed a preliminary screening against the official WP248/EDPB Guidelines to determine if a Data Protection Impact Assessment (DPIA) is legally required.
Based on the "2-out-of-10" rule endorsed by the EDPB:Our Score: [Insert Score, e.g., 1/10]Criteria Met: [Insert Criteria, e.g., Innovative Use (AI)]Conclusion: Since we do not meet the threshold of 2 criteria, a full DPIA is [Optional/Recommended but not mandatory].
Unless you see a specific high risk outside of these standard criteria, we plan to proceed with standard security documentation rather than a full DPIA process.
Best,
[Your Name]
FAQ
1. Is a DPIA done per organization or per project?
Per project. You cannot have a single "Company DPIA." You need a DPIA for specific processing activities. If you have a recruiting tool and a customer analytics tool, those are likely two separate assessments.
2. What if I match exactly 1 criteria?
The guidelines say a DPIA is recommended. In practice, if that one criteria is "Innovative Use" (like AI), many companies choose to do a lightweight DPIA to be safe. If you choose not to do one, write a one-page memo explaining why the risk is low. Our tools can help you craft this argument - find more on dpia.covenance.ai
3. Does using AI always require a DPIA?
Not automatically, but usually yes. AI often triggers "Innovative Use" (Criteria 8). If it also triggers "Evaluation/Scoring" (Criteria 1) or "Automated Decision Making" (Criteria 2), you hit the 2-criteria threshold immediately.
4.Is automating the DPIA allowed?
Yes. While a human must sign off on the risk decisions, the drafting, risk identification, and mapping of data flows can be heavily automated using LegalTech AI solutions.
When to Re-evaluate (DPIAs are not "One and Done")
A common mistake is thinking, "We did a DPIA in 2021, so we are good." A DPIA is a risk management tool for a specific context. If the context changes, the risk changes.
You must re-run the screening checklist above if any of the following occur:
- New Technology: You introduce new software, AI models, or hardware to process the data.
- Data Scope: You begin collecting new types of data (e.g., you start asking for phone numbers or location).
- Organizational Change: A change in who accesses the data (e.g., a new merger) or how it is shared (e.g., a new sub-processor or API integration).
- Contextual Shift: Changes in the environment, such as new security threats or significant shifts in public sentiment regarding a technology.
Best Practice: Even without changes, review your critical DPIAs every 3 years.
Last Updated
- Date: 2026-01-05
- Notes: Updated to reflect current interpretation of "Innovative Use" regarding Generative AI models.
If your project score was 2 or higher, don't panic. You can generate your required documentation quickly.
👉 Get your automated DPIA here
Comments ()