When you need a DPIA
High-risk AI usually touches personal data, and that can require a data protection impact assessment under the GDPR. This is a GDPR duty the AI Act points you toward.
Updated May 2026
What the duty is
A data protection impact assessment is a structured look at how a system processes personal data and the risks that creates for people, with the safeguards you will put in place. It comes from GDPR Article 35, and the provider's system information helps you complete it.
When it applies
This is conditional. It applies when a system processes personal data and is likely to carry a high risk to people's rights, which covers most high-risk AI uses. Whether a DPIA is required in your case is a judgment for you and your data protection adviser.
Marking it done
Carry out the DPIA where it is needed, then mark the duty done on your roadmap. The related AI Act duty on input data is the Data Governance Procedure.
Veillo is compliance tooling, not a law firm. Even counsel-reviewed content is general reference, not legal advice on your specific situation.
Some deployers must assess a high-risk system's impact on fundamental rights under Article 27. Who this applies to and how Veillo tracks it.
The data governance procedure for high-risk inputs under Article 26: keeping input data fit for purpose, and how to generate one per system.
Veillo stores data in the EU by design. Where your data lives, how GDPR and the DPA work, who can see your records, and what we do not do with them.
Still need help?
Get in touch and a human will answer, or book a short walkthrough.