Marketing campaigns routinely trigger a legal requirement that most marketing teams have never heard of. The Data Protection Impact Assessment – DPIA – is the UK GDPR's mechanism for evaluating and mitigating privacy risks before high-risk processing begins. If your next campaign involves profiling, lead scoring, behavioural targeting, or personalisation using AI, you almost certainly need one.
Yet DPIAs sit in the gap between two teams that rarely talk to each other. Compliance officers understand the legal obligation but not the data flows inside a marketing automation platform. Marketing managers understand the campaign architecture but not the regulatory threshold that makes a DPIA mandatory. The result is predictable: DPIAs either don't get done, or they get done badly – checkbox exercises filed after the campaign has already launched.
This article provides a practical template you can actually use. It explains when a DPIA is required for marketing activities, walks through each step with marketing-specific examples, and includes a worked example for a lead scoring system. The goal is a DPIA that makes your campaign better, not just compliant.
When your marketing campaign needs a DPIA
Article 35(1) of the UK GDPR requires a DPIA when processing is "likely to result in a high risk to the rights and freedoms" of individuals, particularly when using new technologies. Article 35(3) specifies three cases where a DPIA is always required. For marketing, the most relevant is systematic and extensive profiling on which decisions with significant effects are based.
But the real test is the European Data Protection Board's nine criteria, published in WP 248 and endorsed by the ICO. These nine indicators of high-risk processing include evaluation or scoring, automated decision-making with significant effects, systematic monitoring, sensitive data, large-scale processing, matching or combining datasets, data concerning vulnerable individuals, innovative technology, and processing that prevents people from exercising a right.
The EDPB's threshold is clear: if your processing meets two or more of these criteria, a DPIA will almost certainly be required. Marketing campaigns frequently meet several.
The ICO reinforces this through its own published list of ten processing types requiring DPIAs. Three items on that list explicitly cite marketing: data matching (including direct marketing), invisible processing (including online tracking and advertising), and tracking (including online advertising and wealth profiling for direct marketing). If your campaign involves any of these combined with another EDPB criterion, a DPIA is mandatory.
The marketing activities that trigger it
Profiling for ad targeting. Using behavioural data – website visits, email engagement, purchase history – to build audience segments engages at least three EDPB criteria: evaluation or scoring, matching or combining datasets, and systematic monitoring. Lookalike audience creation on Meta or LinkedIn adds a fourth: large-scale processing at platform level. The EDPB's Guidelines 8/2020 on social media targeting confirm that both the advertiser and the platform are joint controllers who must each assess DPIA necessity.
Lead scoring. Any system that uses personal data to evaluate aspects of an individual and assign a score is profiling by definition under GDPR Article 4(4). Lead scoring engages evaluation or scoring (that is literally what it does), matching or combining datasets (CRM, email, website, and form data), and innovative technology if AI or machine learning drives the scoring model. Any lead scoring system that meets these criteria needs a DPIA.
Large-scale email combined with behavioural data. There is no universal numeric threshold for "large-scale" – the EDPB assesses volume, data variety, duration, and geographic extent contextually. But even if your database doesn't qualify as large-scale on volume alone, combining email engagement data with purchase history and website analytics independently engages the matching and evaluation criteria. Two criteria met; DPIA required.
AI in marketing. The ICO's position is unambiguous: "In the vast majority of cases, the use of AI will involve a type of processing likely to result in a high risk to individuals' rights and freedoms, and will therefore trigger the legal requirement for you to undertake a DPIA." The ICO classifies AI as innovative technology. Combined with any other criterion – which marketing AI almost invariably involves – a DPIA is mandatory.
The template: seven steps in plain language
The ICO publishes a DPIA template and recommends a seven-step process. What follows is that process translated into marketing reality. Each step describes what the ICO expects and what it looks like for a marketing campaign.
Step 1: Screen the need
Before starting a full DPIA, screen your campaign against the EDPB's nine criteria and the ICO's published list. If two or more criteria are engaged, proceed with the full assessment. If the answer is genuinely no, document the screening decision and your reasoning. The ICO advises: if you are in any doubt, do the DPIA.
Step 2: Describe the processing
This is where most marketing DPIAs fail. The ICO requires four dimensions: nature (how data is collected, stored, used, who has access, what technology is involved), scope (volume, variety, sensitivity, number of individuals, geography), context (data source, relationship with individuals, their expectations, previous experience), and purposes (business objectives, intended outcomes).
For a marketing campaign, this means documenting the actual data flows – not a high-level summary of what the platform does, but where the data comes from, what happens to it at each stage, who processes it, and where it goes. A data flow diagram is not formally required but is strongly recommended. If you can't describe the processing precisely, you don't understand it well enough to assess its risks.
Step 3: Consultation
The ICO states you should seek and document the views of individuals or their representatives "unless there is a good reason not to." For marketing DPIAs, this might mean reviewing existing customer feedback, analysing consent withdrawal rates, or consulting your customer advisory panel. If you decide not to consult, document the reason – commercial confidentiality or disproportionate effort are acceptable justifications, but the decision must be recorded.
The DPO must also be consulted (Article 35(2)). Their role is advisory: they assess the DPIA's quality and the adequacy of proposed mitigations. If their advice is not followed, the reasons must be documented. The Dutch Data Protection Authority fined ICS €150,000 specifically for conducting high-risk processing without enabling DPO involvement in the DPIA.
Step 4: Assess necessity and proportionality
This is the data minimisation test applied to your campaign. Could the same marketing objective be achieved with less data, less invasive processing, or without personal data altogether? If a campaign can succeed using contextual targeting rather than behavioural profiling, the more invasive approach may be disproportionate.
Document the lawful basis for each processing activity, the measures preventing function creep (data collected for one campaign used for another), data quality controls, data minimisation decisions, and how individuals are informed about the processing.
Step 5: Identify and assess risks
The focus must be on risks to individuals, not risks to your organisation. That's the most common confusion in marketing DPIAs. The relevant risks include unwanted marketing, loss of control over personal data, inaccurate profiling, discriminatory targeting, data breaches exposing behavioural profiles, and opaque automated decisions.
The ICO uses a likelihood × severity matrix. Their guidance is clear: harm doesn't have to be inevitable to qualify as a risk. "Any significant possibility of very serious harm may still be enough to qualify as a high risk." Rate each identified risk and document your reasoning.
Step 6: Identify mitigation measures
For each risk, identify specific measures that reduce or eliminate it. Generic statements like "we will implement security measures" are not sufficient – the ICO's Snap/MyAI decision rejected mitigations that were "inaccurate or not relevant to the identified risks" and criticised the use of template responses without tailoring.
Marketing-relevant mitigations include: transparency measures (clear privacy notices explaining profiling, data sources, and consequences), data minimisation (collecting only what the campaign needs), accuracy controls (score decay, data cleansing, correction mechanisms), human oversight (meaningful review before significant automated actions), retention limits (time-bound behavioural data, automatic deletion), access controls on profiling data, and mechanisms for individuals to access their profile, object to profiling, or request correction.
Record whether each measure reduces or eliminates the risk, and assess the residual risk that remains after mitigation.
Step 7: Sign off and record
Document who approved the mitigations, who accepted the residual risks, the DPO's advice and whether it was followed, and the date for the next review. If any residual risk remains high after all mitigations, you must consult the ICO under Article 36 before proceeding.
Set a review date. The EDPB recommends reviewing DPIAs at least every three years, but marketing campaigns change faster than that. Review triggers include: new data sources, new technology, changed purposes, security incidents, or significant changes in processing volume.
Worked example: lead scoring DPIA
A firm is implementing a lead scoring system within its marketing automation platform. The system will assign scores to contacts based on website behaviour, email engagement, form submissions, and CRM data, then automatically route high-scoring leads to sales.
Description of processing
Data sources: Website analytics (pages viewed, session duration, content downloaded), email platform (opens, clicks, unsubscribes), form submissions (job title, company, stated interests), CRM records (purchase history, sales interactions), and third-party firmographic enrichment data.
Processing operations: Data is collected via tracking scripts, email APIs, and form handlers. An identity resolution process unifies multiple data sources into single contact records. A scoring algorithm assigns points for behavioural signals (engagement scoring) and demographic fit (fit scoring). Contacts are segmented as marketing-qualified or sales-qualified based on score thresholds. Automated workflows route high-scoring leads to sales representatives and assign low-scoring contacts to nurture sequences.
EDPB criteria engaged: Evaluation or scoring (the core function); matching or combining datasets (CRM, email, web, and enrichment data from different processing operations); innovative technology (if AI or machine learning drives the scoring model); and systematic monitoring (continuous tracking of website behaviour). Four criteria. A DPIA is required.
Necessity and proportionality
The business objective is to prioritise sales effort towards the contacts most likely to convert, reducing wasted outreach and improving conversion rates. Lead scoring serves this purpose. The key proportionality questions: are all data sources necessary? Is third-party firmographic enrichment proportionate, or could the firm score adequately on first-party behavioural data alone? Could a simpler rule-based scoring model achieve the objective without the opacity of a machine learning model?
Risk identification and mitigation
Inaccurate profiling. Shared devices, bot traffic, and outdated CRM data can produce wrong scores. Mitigation: implement score decay (reduce scores on old activity), validate enrichment data quality, run regular data cleansing cycles.
Opaque decision-making. Contacts don't know they're being scored, what data feeds the score, or how it affects their experience. Mitigation: update the privacy notice to explain profiling and scoring, describe data sources and logic, explain the consequences (sales contact, content personalisation, nurture assignment), and provide information about the right to object to profiling.
Discriminatory outcomes. Scoring on job title, company size, or geography can correlate with protected characteristics. AI models can perpetuate historical conversion biases. Mitigation: regular audit of score distributions across demographic segments, review scoring criteria for proxies of protected characteristics, ensure human oversight of the model's outputs.
Scope creep. Scores originally designed for sales prioritisation get used for pricing, service-level decisions, or access controls. Mitigation: document that scores are used only for marketing qualification, prohibit use for credit, insurance, employment, or access decisions, and review score usage periodically.
Automated action without human review. High-scoring leads are routed directly to sales without a human checking whether the score is reasonable. Mitigation: ensure sales representatives review scored leads before taking consequential action (not just rubber-stamping the automated output), and build in manual override capability.
Residual risk
After mitigation, the residual risks are medium: the system still involves profiling and automated segmentation, but with transparency, human oversight, data minimisation, and regular review in place. No residual risk reaches the threshold requiring ICO consultation under Article 36.
The mistakes that get firms into trouble
Retrospective DPIAs. The requirement is clear: "prior to the processing." Snap launched its MyAI chatbot to all users before substantively engaging with the ICO on its DPIA – the enforcement action that followed produced a 62-page decision and required five DPIA iterations before the ICO was satisfied. A DPIA done after the campaign launches is a DPIA done too late.
Checkbox exercises. The ICO has been explicit: "You should not treat a DPIA as a rubber stamp or tick-box exercise at the end of the design process." Generic risk descriptions copied between projects, template mitigations not tailored to the specific processing, and cross-references to external documents without explaining their relevance were all criticised in the Snap decision.
Doing it once and filing it away. A DPIA is a living document. When you add a new data source, switch platforms, change your scoring model, or expand to a new market, the DPIA must be reviewed. The EDPB recommends review at least every three years; for marketing technology that evolves quarterly, annual reviews are more realistic.
Leaving out the DPO. Article 35(2) is not optional. The DPO advises on the DPIA – they assess its quality, challenge the risk assessment, and evaluate the mitigations. Excluding them is an enforcement risk in its own right.
Treating it as a compliance exercise instead of a design tool. This is the real missed opportunity. The ICO makes the point well: identifying a problem early means a simpler and less costly fix. A DPIA that discovers unnecessary data collection reduces storage costs and breach exposure. A DPIA that forces clarity on data flows improves the technical architecture. A DPIA that documents compliance provides evidence for regulatory inquiries, client due diligence, and procurement processes. The firms that treat DPIAs as design tools build better campaigns. The firms that treat them as paperwork produce worse campaigns and worse DPIAs.
The enforcement reality
DPIA enforcement has historically been light. Analysis of ICO actions between 2018 and 2023 found only two reprimands specifically for Article 35 breaches out of 251 GDPR enforcement instances. But the direction of travel is clear. The CNIL fined Intersport €3.5 million in December 2025, explicitly citing failure to conduct a DPIA before implementing targeted advertising affecting 10.5 million individuals – the most significant EU enforcement action linking DPIAs to marketing. The ICO's Snap decision, while resulting in no fine, established detailed expectations for DPIA quality that will inform future enforcement. And the Irish DPC's ongoing inquiry into Google's PaLM 2 AI model – focused solely on DPIA compliance – signals that DPIAs for AI-driven marketing tools are under increasing regulatory scrutiny.
The Data (Use and Access) Act 2025 left DPIA requirements unchanged. The ICO's guidance is under review but not yet updated. The obligation stands exactly as it was – and the enforcement examples are becoming more, not less, instructive.
Where Penby fits
DPIAs sit at the intersection of two disciplines that rarely overlap. The compliance team understands Article 35 but not the data flows inside HubSpot. The marketing team understands the campaign architecture but not the EDPB's nine criteria. The result is DPIAs that are either technically incomplete or practically useless.
Penby works at exactly this intersection. A DPIA for a lead scoring system needs someone who can read the EDPB guidelines and someone who understands how identity resolution works inside a CDP. That combination is rare. It is what we do.
If you are planning a campaign that involves profiling, behavioural targeting, AI, or large-scale data processing, a DPIA is not optional. Done well, it isn't a burden either. It is the process that turns a campaign from a compliance risk into a defensible, well-designed system. That is the approach we take – and it is how we help our clients build marketing that drives growth without putting their reputation at risk.