Supplier facts are unclear
Vendor and third-party privacy governance
For vendor evidence, processor roles, sub-processors, transfers or AI supplier changes affecting the assessment.
Review vendor governanceDPIA support
DPIAs that stay connected to the system, the evidence and the decision.
A DPIA is not a one-off document to complete after the design has already settled. It helps the organisation understand the real processing, the impact on people, the controls and the decision record.
XpertDPO helps teams keep the assessment connected to live use, vendor evidence, residual risk and review triggers.
DPIA support
Practical privacy work connected to the right operating-model conversation.
Senior judgementSupport is framed around accountable decisions, not generic advice.
Controlled methodWork, evidence, escalation and review are held together.
Clear next stepThe first conversation is shaped around the organisation's risk, operating model and support needs.
When the assessment needs more
The assessment needs to catch up with reality.
- The system has changed since the first assessment.
- Vendor features, AI use, transfers or training data need more evidence.
- Risk ownership and residual-risk sign-off are unclear.
- The DPO or project team needs a stronger review route.
Where the DPIA pressure may point
Some DPIA issues are really vendor, AI or specialist-support issues.
Assessment needs lifecycle control
AI/DPIA lifecycle support
For AI, automated processing or high-risk systems where the DPIA must stay connected to live use.
Explore AI/DPIA support
The team needs challenge
DPO Support
For DPOs, privacy leads or legal teams that need senior review before sign-off.
Explore DPO SupportFrequently asked questions
Questions focused DPIA support often raises.
These questions help keep the assessment connected to live processing, vendor evidence, residual risk and review.
When is a DPIA required under GDPR?
A DPIA is required where processing is likely to result in a high risk to individuals. This may include large-scale special-category data, systematic monitoring, profiling, innovative technology, AI-enabled processing, vulnerable groups or significant effects on people. The practical question is whether the organisation has understood and evidenced the risk before proceeding.
What makes a DPIA acceptable to supervisory authorities?
A useful DPIA describes the real processing, assesses necessity and proportionality, identifies risks to individuals, records mitigations, shows DPO input where required, captures residual risk and includes clear review triggers. It should be a decision record, not only a template completion exercise.
Do DPIAs need to include vendor and third-party risks?
Often, yes. Where a vendor, processor, sub-processor or external platform is part of the processing, the DPIA should be informed by the relevant operational facts and evidence: roles, data flows, access, retention, security, sub-processing, transfers, model updates and contractual controls.
Can DPIAs be completed using templates alone?
Templates can help structure the work, but they cannot substitute for understanding the actual processing, risks, controls, users, vendors and residual decisions. A DPIA needs enough substance to show how the organisation assessed risk and why the chosen mitigations are appropriate.
How often should DPIAs be reviewed?
DPIAs should be reviewed when the processing, vendor, data, use case, risk profile, law or operating context changes. For AI and live systems, review triggers matter more than an arbitrary calendar date because the assessment needs to remain true to the system people actually use.
Next step
Start with the work that now needs confidence.
Tell us what has changed, what feels difficult to evidence or explain, and who needs assurance. We will help shape the right conversation from there.