The first step in a DPIA is to describe the data processing activity itself. This means providing a systematic explanation of what’s being done with the data and why—including any legitimate interests behind the processing (as per Article 35(7)(a)).
This is broken down into five key areas, starting with the phrase “nature, scope, context, and purposes.” Each one of these four terms is important and must be considered in your DPIA:
- Nature refers to the type of personal data being processed—things like sensitive data, criminal records, or health information. It also covers the volume, frequency, and complexity of the processing.
- Scope is about the extent of the processing—how many people’s data is involved, where they’re located, and how long the data will be kept.
- Context looks at the bigger picture—social, cultural, and legal factors that affect processing, including regulatory requirements and user expectations.
- Purposes explain why the data is being processed, including the intended benefits (e.g., improving services or avoiding data breaches).
The second key point from WP29 builds on this by stating that details about the personal data, its recipients, and how long it will be stored must be recorded. While there may be some overlap with earlier categories, it’s important to explicitly note retention periods.
The next two WP248 guidelines focus on describing the data processing setup, including what hardware and software are being used. Flow diagrams or charts can help make this clearer.
The final point applies to organizations that follow an approved code of conduct. These self-regulatory frameworks help organizations prove compliance, and in some cases—such as in Sweden—following one might even eliminate the need for a DPIA altogether.
Defining the “nature, scope, context, and purposes” of a DPIA helps draw a clear line between what’s included and what isn’t. A thorough and structured description isn’t just for clarity—it’s a necessary step to properly assess and mitigate risks.