DPIA & Privacy Impact Assessment

A Data Protection Impact Assessment (DPIA) is a structured process required under GDPR Article 35 for processing activities that pose high risks to individuals' personal data. A DPIA documents the nature, scope, context, and purposes of processing; assesses necessity, proportionality, and compliance measures; identifies and assesses risks to data subjects' rights and freedoms; and specifies measures to address those risks (security controls, pseudonymisation, data minimisation, retention limits). Supporting documents include data flow maps (how personal data moves through systems and across borders), legitimate interest assessments, and third-party processor registers.

DPIAs are legally required under GDPR Article 35 for processing likely to result in high risk to individuals — including systematic profiling, large-scale processing of special categories of data, and systematic monitoring of publicly accessible areas. Failure to conduct a required DPIA can result in regulatory penalties and demonstrates a lack of accountability — a key GDPR principle. Beyond legal compliance, DPIAs demonstrate to regulators and data subjects that the organisation has systematically considered and addressed privacy risks. They are also increasingly required by non-EU privacy laws (Brazilian LGPD, UK GDPR, California CPRA) and by insurance providers as evidence of privacy risk management.

Full DPIA reports cover the complete assessment — processing description, necessity and proportionality assessment, risk identification, consultation records (with Data Protection Officer and, where required, supervisory authority), and mitigation measures. Data flow maps and inventories show how personal data moves through systems, across borders, and between processors — supporting records of processing activities (ROPA) and breach notification readiness. Legitimate interest assessments (LIAs) are three-part assessments required for processing relying on legitimate interest as the lawful basis under GDPR Article 6(1)(f). Third-party processor registers document all data processors and sub-processors, including data processing agreement (DPA) status, transfer mechanisms, and location — required for ongoing GDPR accountability.

DPIA documents, data flow maps, and processor registers are uploaded to Sustalium and linked to the relevant privacy compliance frameworks. Privacy evidence connects to GDPR compliance records, data subject rights procedures, and breach notification protocols. Sustalium tracks DPIA review schedules — DPIAs must be reviewed when processing operations change significantly — and flags expiring DPIAs for reassessment. Processor registers are linked to procurement records so that new processor engagements automatically trigger DPIA review requirements. For organisations operating across multiple jurisdictions, Sustalium maps privacy compliance requirements to the applicable national implementations of GDPR and other privacy laws.

GDPR is the primary framework — Article 35 requires DPIAs, Article 30 requires records of processing activities, Article 32 requires documented security measures, and Article 33 requires documented breach notification procedures. The EU AI Act requires DPIA-like impact assessments for high-risk AI systems. DORA requires ICT risk assessments that overlap with DPIA data processing mapping. The ePrivacy Directive requires privacy assessments for electronic communications processing. Non-EU privacy laws including the UK GDPR, Brazilian LGPD, California CPRA, and China's PIPL all have DPIA or equivalent requirements. ISO 27701 (privacy information management) requires documented privacy impact assessment processes.