“Do I need a DPIA for this AI project?” comes up early in most UK AI work — and the honest answer is usually yes. Here’s how to tell in 2026, cited to the ICO. (dgm implements osFoundry as an independent partner. General information, not legal advice — your DPO owns the DPIA.)

The short answer

A Data Protection Impact Assessment (DPIA) is legally required for processing likely to result in high risk to individuals — and the ICO treats most AI involving personal data as triggering that requirement. So for an AI project on personal data, the safe assumption is: yes, do a DPIA.

When it’s clearly required

You should treat a DPIA as required if your AI involves any of:

  • profiling or evaluating individuals;
  • large-scale processing of personal data;
  • special-category data (health, biometrics, etc.);
  • automated decisions with significant effects;
  • systematic monitoring.

Most business AI touches at least one of these.

What a DPIA covers

A DPIA documents:

  1. the processing and its purposes;
  2. necessity and proportionality — do you need this data, this way?;
  3. risks to individuals’ rights and freedoms; and
  4. mitigations — how you’ll reduce those risks.

For AI specifically, address lawful basis, transparency, accuracy, bias/fairness, data minimisation, security, and automated-decision safeguards.

Do it early

A DPIA is meant to shape the design, not rubber-stamp it afterward. Done during scoping, it often changes choices — minimising the personal data used, adding human review, or self-hosting so data isn’t exposed to third parties. That’s the value: it’s a design tool, not paperwork.

Use the ICO toolkit

The ICO’s AI and data protection risk toolkit maps the risks AI systems create across the lifecycle — a practical starting point for the risk-assessment part of your DPIA.

Where osFoundry and dgm fit

dgm scopes AI projects to be DPIA-ready: minimising the personal data exposed, enabling data control (self-host in your own cloud or an EU region — osFoundry publishes US/EU/JP regions, not a UK one), building in human oversight for significant decisions, and providing audit logs that evidence how the system behaves. Those design choices directly answer a DPIA’s necessity, proportionality and mitigation questions.

dgm is an independent integration partner with zero integrations so far, and not a law firm. The DPIA is owned by your organisation and DPO. To scope a DPIA-ready AI project, book a consultation with dgm.