HomeGlossaryData Protection Impact Assessment (DPIA) in Procurement
IT & Digital ProcurementDPIA

Data Protection Impact Assessment (DPIA) in Procurement

A Data Protection Impact Assessment (DPIA) in procurement is a structured process required under GDPR before deploying any technology that processes personal data at significant scale or risk, identifying privacy risks and mitigation measures before a contract is signed and a system goes live.

Quick answer

A Data Protection Impact Assessment (DPIA) in procurement is a structured process required under GDPR before deploying any technology that processes personal data at significant scale or risk, identifying privacy risks and mitigation measures before a contract is signed and a system goes live.


A Data Protection Impact Assessment (DPIA) is a structured privacy risk assessment required under Article 35 of the General Data Protection Regulation (GDPR) before deploying processing operations that are "likely to result in a high risk" to individuals. In the context of public procurement, a DPIA is typically required as part of the pre-contract due diligence process when a contracting authority is buying or deploying a technology system that will process personal data. Running the DPIA before contract award allows buyers to identify risks early and impose appropriate technical and contractual requirements on suppliers.

What is a DPIA in procurement?

GDPR Article 35 requires controllers (which include public sector contracting authorities) to carry out a DPIA before commencing processing that is likely to result in high risk. The regulation identifies specific categories of processing that always require a DPIA: systematic and extensive profiling with significant effects, large-scale processing of special category data (health, biometric, criminal), and systematic monitoring of publicly accessible areas. Many national data protection authorities (the UK's ICO, France's CNIL, Germany's state DPAs) publish lists of processing types that they require a DPIA for by default.

In procurement, a DPIA should be initiated during the specification and supplier selection phase, not after contract award. This allows the assessment findings to inform the contract requirements: for example, requiring the supplier to implement specific technical measures (encryption at rest and in transit, access logging, data minimisation by design), to commit to data residency within the EEA or UK, to maintain a record of processing activities, and to notify the buyer within defined timescales of any personal data breach.

The DPIA must document the nature, scope, context, and purposes of processing; assess necessity and proportionality; identify risks to individuals; and describe measures to address those risks. Where residual risks remain high after mitigation, the contracting authority must consult its supervisory authority before proceeding. The DPIA should be reviewed and updated when the processing or the system changes materially.

GDPR compliance in procurement more broadly covers the contractual requirements (data processing agreements, controller/processor distinctions, sub-processor controls) that flow from the DPIA findings. For cloud hosting procurement and software as a service (SaaS) procurement, the DPIA is typically the primary tool for identifying data residency and security requirements.

Why it matters for bidders

Suppliers responding to public sector technology procurements are increasingly asked to support the buyer's DPIA process. This may involve completing a supplier questionnaire on processing activities, providing technical architecture diagrams, disclosing sub-processors and their locations, and providing evidence of security certifications. Suppliers who understand the DPIA process and can respond to these questions clearly and accurately will be better positioned than those who treat privacy questions as an afterthought.

Suppliers acting as data processors must be prepared to sign a Data Processing Agreement (DPA) incorporating the minimum terms required by GDPR Article 28. Buyers will typically require this as a contract condition, and failure to agree terms will block contract award.

Example

A Belgian social welfare agency procures a case management system handling sensitive data about benefit claimants. Before issuing the invitation to tender, the agency initiates a DPIA. The assessment identifies that batch profiling of claimants for fraud risk constitutes high-risk processing, requiring encryption of all data at rest, pseudonymisation of analytics outputs, and a strict data retention policy. These requirements are incorporated into the tender specification and become contractual obligations for the winning supplier.

Frequently Asked Questions

When in the procurement process should a DPIA be started?

A DPIA should be started as early as possible, ideally during the needs analysis and specification phase, before the tender documents are finalised. Starting early allows the findings to shape the technical specification and contract requirements. Starting after contract award means risks may not be manageable within agreed terms.

Does a DPIA need to be shared with suppliers?

The completed DPIA is an internal document of the contracting authority. However, the requirements identified in the DPIA (technical controls, contractual obligations, sub-processor restrictions) should be reflected in the tender specification and contract terms. Buyers may choose to share the DPIA with shortlisted suppliers under a confidentiality agreement during technical dialogue.

Are DPIAs required under the UK GDPR after Brexit?

Yes. The UK retained GDPR obligations through the Data Protection Act 2018 and UK GDPR. The DPIA requirement under Article 35 continues to apply in full to UK contracting authorities. The ICO provides guidance and a template for conducting DPIAs.

How Bidovate helps

Bidovate puts Data Protection Impact Assessment (DPIA) in Procurement to work inside your capture and proposal workflow.

Tender discovery

See Bidovate in action

Book a demo and we will show you the platform using your actual contract data.

Related terms

GDPR Compliance in Procurement

GDPR compliance in procurement requires contracting authorities across EU member states and the UK to embed data protection obligations into technology contracts, including data processing agreements, controller/processor role definitions, sub-processor controls, and breach notification requirements, before any personal data is processed.

View

Software as a Service (SaaS) Procurement

Software as a Service (SaaS) procurement covers the purchase of cloud-delivered software applications accessed over the internet on a subscription basis, where the supplier manages infrastructure, updates, and security, requiring public sector buyers to evaluate vendor lock-in, data residency, and GDPR compliance alongside functionality.

View

ICT Procurement

ICT procurement covers the purchase of information and communications technology goods and services by public sector organisations, encompassing hardware, software, cloud services, telecommunications, and associated support, governed by EU Directive 2014/24/EU and national implementing legislation across European member states.

View

Cloud Hosting Procurement

Cloud hosting procurement covers the purchase of infrastructure-as-a-service and platform-as-a-service resources from commercial cloud providers, requiring public sector buyers to assess data sovereignty, security accreditation, exit costs, and compliance with national and EU cloud policy before contracting.

View

Interoperability Requirements

Interoperability requirements in procurement specify that technology systems must be capable of exchanging data with, and working alongside, other systems using defined standards and protocols, preventing lock-in, enabling cross-agency data sharing, and supporting the European Interoperability Framework across EU member states.

View