The first step in a DPIA is to describe the data processing activity itself.
This means providing a systematic explanation of what’s being done with the data and why—including any legitimate interests behind the processing (as per Article 35(7)(a)).
Nature refers to the type and sensitivity of personal data being processed—like health or criminal records—and the overall scale and complexity of that processing.
is about the extent of the processing—how many people’s data is involved, where they’re located, and how long the data will be kept.
looks at the bigger picture—social, cultural, and legal factors that affect processing, including regulatory requirements and user expectations.
explain why the data is being processed, including the intended benefits (e.g., improving services or avoiding data breaches).
According to WP29, details about the personal data, its recipients, and the retention period must be clearly documented. Even if these details overlap with earlier sections, noting how long data is stored remains essential for accountability.
WP248 guidelines emphasize describing the technical setup—such as the hardware and software used—to provide a complete view of data processing. Visual tools like flow diagrams can make this clearer. Organizations that follow an approved code of conduct can demonstrate compliance more easily, and in some cases, may not need to complete a full DPIA.
Defining the “nature, scope, context, and purposes” of a DPIA helps draw a clear line between what’s included and what isn’t. A thorough and structured description isn’t just for clarity—it’s a necessary step to properly assess and mitigate risks.