§ AI DPIA Threshold Checker·client-side form · no sign-up

Does this AI system need a DPIA?

Answer a few questions about where your AI system operates, what it does, and the data it touches, and get a likely yes or no on whether a DPIA, a PIA, or an ADMT risk assessment is triggered, which framework or frameworks trigger it, and a scope outline to build from.

This is a starting point to focus a privacy conversation for a DPO, privacy counsel, or compliance leader. It is not legal advice and not a determination that any assessment is or is not legally required. Your counsel and DPO own that conclusion.

This runs entirely in your browser. Nothing you enter is sent to a server.
§ Read this first

This checker maps your answers to the frameworks that commonly require a privacy assessment for an AI system and returns a likely-required read, the triggering frameworks, and a scope outline. It is a starting point, not legal advice, and not a legal determination that a DPIA, PIA, or assessment is or is not required in your specific case. Statutory framing is kept general. Whether an assessment is legally required, and whether it is sufficient, is a conclusion for your data protection officer and counsel. No data leaves the browser.

§ The checker·four questions, then your threshold read
ReachWhere does the AI system operate, or whose data does it affect?

Select all that apply. This determines which privacy frameworks are even in play. Pick the places whose residents' personal data the system processes, or whose people it targets or monitors.

Q1What does the AI system do with personal data?

Pick the closest match. Automated decisions with real effects on people are the most common trigger for a mandatory assessment.

Q2Does it process special-category or sensitive data?

Special-category data under GDPR Article 9 and sensitive personal information under the US state laws (health, biometric, precise geolocation, race, religion, sexual orientation, and more) is an independent trigger.

Q3At what scale does it process personal data?

Large-scale processing raises the risk profile and, combined with sensitive data or monitoring, is its own DPIA trigger under the GDPR.

Select at least one reach option and answer all three questions to get your threshold read.
·

DPIA threshold: ·

Why this read

·

Framework-by-framework

Based on the reach you selected and what the system does. Each line is a heuristic, not a legal determination.

Scope outline to build from

The structure a DPIA or privacy impact assessment for an AI system should cover, to adapt with your DPO and counsel.

    § Turn this into a completed assessment·from a threshold read to a DPIA

    A checker is a self-assessment of the threshold question. The value is a completed, defensible assessment: a jurisdiction-by-jurisdiction trigger analysis, a DPIA or PIA adapted to your system, a risk register, and a residual-risk statement your privacy office can finalize. That is the Privacy / DPIA for AI Systems assessment.

    § What to produce next

    ·

    § The fine print

    This checker is a structured starting point to focus a privacy conversation. It is not legal advice, not a legal determination that a DPIA, PIA, or risk assessment is or is not required in your case, and not a certification of compliance. Statutory framing is kept general. Whether an assessment is legally required, and whether it is sufficient, is a conclusion for your data protection officer and counsel.

    No data leaves the browser. Nothing you enter is sent to a server or retained.

    Copied to clipboard.

    Last reviewed: 2026-07-05 · Initial release. The trigger logic, framework mapping, and scope outline are a structured practitioner heuristic for the DPIA threshold question, re-checked quarterly. Accuracy is the point, and it is not a substitute for advice from counsel.

    § When you want the completed assessment·fixed-fee, senior-only

    Get a full DPIA for your AI system.

    A checker reads the threshold question. When you want a completed, defensible assessment, a principal runs a fixed-scope DPIA for your system and hands you a trigger analysis, a risk register, and a residual-risk statement your privacy office can finalize.

    § What this is·and what it isn't

    A threshold read. Not legal advice.

    This checker is a structured self-assessment to focus a privacy conversation for a DPO, privacy counsel, or compliance leader. It maps your answers to the frameworks that commonly require a DPIA, a PIA, or an ADMT risk assessment for an AI system. It does not access your systems, and it does not provide legal advice or determine that any assessment is or is not legally required in your case. Statutory framing is deliberately general.

    DSE provides AI privacy and governance readiness work, including DPIA and privacy impact assessments for AI systems. We are not a law firm, do not provide legal advice, do not certify compliance with the GDPR, the CCPA, the Colorado AI Act, the EU AI Act, or any other law, and do not guarantee any regulatory, supervisory, or enforcement outcome. We work alongside your counsel and data protection officer.