A Data Protection Impact Assessment (DPIA) is required under GDPR Article 35 when processing is likely to result in a high risk to the rights and freedoms of individuals. This includes systematic profiling with legal effects, large-scale processing of special categories of data, and systematic monitoring of public areas. A DPIA must describe the processing, assess necessity and proportionality, identify risks, and define mitigating measures. If residual risk remains high after mitigation, the controller must consult the supervisory authority under Article 36. DPIA workflows are on the Acuna Data Protection module roadmap; currently, processing activities can be documented and linked to controls and assets to support DPIA preparation.