Data protection impact assessment (DPIA) process

Description

A DPIA (Data Protection Impact Assessment) is the GDPR Article 35 structured-risk-analysis exercise that runs before any processing operation likely to result in high risk to data subjects: large-scale processing of sensitive categories, systematic monitoring of public spaces, automated decision-making with legal or similarly significant effects, profiling of children, and the other triggers listed by the Article 29 Working Party guidelines (now under the EDPB) and by member-state DPAs in their respective blacklists. The shape of the assessment is roughly: a description of the processing operation, a necessity-and-proportionality analysis against the stated purpose, a risk assessment that identifies the threats to data-subject rights and freedoms (with severity and likelihood), and a mitigation plan that brings the residual risk down to an acceptable level. Where mitigation cannot bring the risk below high, Article 36 requires prior consultation with the supervisory authority before the processing begins. The DPIA is the operative gate for whether the processing can launch at all; a thorough DPIA that surfaces unmitigable risk is doing its job rather than failing it, even though the operational pressure on the privacy team typically runs the other way. Most DPIA failures observed in enforcement come from boilerplate templates that produce uniformly low residual-risk scores regardless of the underlying processing, which the regulators read (correctly) as the team going through the motions.

Required by (8 regulations)

• CA AADC

  Cal. Civ. Code §§1798.99.28-1798.99.40 (AB 2273, 2022)

• DPDPA

  Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023

• GDPR

  Article 35 — DPIA mandatory when processing is likely to result in high risk.

  Regulation (EU) 2016/679 of the European Parliament and of the Council

• LGPD

  Article 38 — Relatório de Impacto à Proteção de Dados Pessoais on ANPD request.

  Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

• PDPL

  Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023

• UAE Data Protection Law
• UK AADC

  Standard 2 — DPIA explicitly required for services likely to be accessed by children.

  Data Protection Act 2018, s.123; Age Appropriate Design: A Code of Practice for Online Services (ICO, 2020)

• Vietnam PDPD

Fulfilled by (3)

• onetrust · full · medium effort · $$
• transcend · partial · medium effort · $$
• In-house build · high effort
  CNIL / ICO templates work for static risks; tracking changes over time is the bigger lift.

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

• DPIA template
• completed DPIAs
• risk register
• mitigation tracker