GDPR & AI Governance
Data protection impact assessments for Irish employers

This article is for general informational purposes and does not constitute legal advice. Employers with specific concerns should consult a qualified data protection professional or the Data Protection Commission (DPC).

A Data Protection Impact Assessment sounds like the kind of document only a large multinational needs. In practice, plenty of ordinary HR activity — rolling out monitoring software, introducing a new recruitment platform, deploying CCTV with audio — can trigger the legal requirement to carry one out, regardless of how small the organisation is.

When Is a DPIA Legally Required?

Under Article 35 of the GDPR, a DPIA is mandatory wherever a type of processing — particularly involving new technology — is "likely to result in a high risk to the rights and freedoms" of the people whose data is involved. The GDPR doesn't give an exhaustive list, but it does name three specific triggers directly:

Beyond these three, the Article 29 Working Party (the EU body whose guidance the DPC follows) set out ten broader risk criteria — including evaluation/scoring, systematic monitoring, sensitive data, large-scale processing, and processing involving vulnerable data subjects. The practical rule of thumb: meeting two or more of these criteria means a DPIA is required; meeting fewer suggests lower risk, though the controller should still document why a DPIA wasn't considered necessary.

Why Does Employee Monitoring Often Trigger a DPIA?

This is the part most relevant to ordinary Irish employers, and the part most likely to be missed. GDPR guidance explicitly names employees as a vulnerable category of data subject — not because employees are inherently vulnerable people, but because the power imbalance in the employment relationship makes it genuinely difficult for someone to object to processing their employer wants to carry out. A worker who's uncomfortable with new monitoring software is rarely in a position to simply refuse.

This means activities that might look routine from an employer's side often meet the DPIA threshold from a data protection perspective:

Many employers default to relying on employee consent as the legal basis for this kind of processing. The DPC has been clear this is usually the wrong choice — consent given by an employee to their employer is rarely "freely given" in the way GDPR requires, precisely because of that same power imbalance. Employee data handling generally needs a different legal basis altogether.

What Does a DPIA Actually Involve?

The GDPR sets four minimum elements a DPIA must contain:

Beyond that minimum, the DPC's own guidance recommends a six-step process: confirm a DPIA is needed, map how the data will flow through the project, identify the risks, identify measures to reduce them, sign off and record the outcome, then feed the result back into the actual project plan. It should happen before the processing starts, not as a retrospective justification once a tool is already live.

What If the DPIA Finds a Risk You Can't Reduce?

Most identified risks can be brought down to an acceptable level through specific measures — tighter access controls, shorter retention periods, pseudonymising data, better staff training. If, after applying mitigations, a significant residual risk remains, the GDPR requires the data controller to consult the Data Protection Commission before proceeding. Skipping a required DPIA altogether is a breach of the GDPR in its own right, independent of whatever happens with the underlying processing.

Further Reading

Share this: Twitter LinkedIn