DPIA and Risk Analysis

What Is a DPIA and When Is It Mandatory?

A Data Protection Impact Assessment (DPIA) is a prior analysis that identifies and mitigates the risks that personal data processing may pose to individuals' rights and freedoms. Art. 35 GDPR establishes that it is mandatory when processing is "likely to result in a high risk" to the rights and freedoms of natural persons.

When It Is Mandatory

The GDPR explicitly mentions three cases:

1. Systematic and extensive evaluation of personal aspects (profiling, scoring, automated decisions with legal effects).
2. Large-scale processing of special categories of data (Art. 9) or data relating to criminal convictions (Art. 10).
3. Systematic large-scale monitoring of a publicly accessible area (mass video surveillance).

Additionally, the AEPD has published a list of processing operations requiring a mandatory DPIA. For law firms, the most relevant scenarios are: large-scale or systematic processing of special category data (health, ethnic origin, sexual orientation), profiling individuals to assess their legal situation, and processing that combines multiple data sources to generate new inferences.

When It Is Not Mandatory

If the processing does not meet any of the above criteria, it is not mandatory. However, the AEPD recommends at least a basic risk analysis for any processing operation. In practice, documenting that you assessed whether a DPIA was needed already demonstrates due diligence.

AEPD Methodology

The AEPD provides a practical guide for conducting DPIAs in six phases:

1. Processing description: What data is processed, for what purpose, what technology is used, who has access.
2. Necessity and proportionality analysis: Is it necessary to process this specific data? Could the same purpose be achieved with less intrusive data or anonymization techniques?
3. Risk identification: For each processing phase, list what could go wrong (unauthorized access, loss, misuse, re-identification).
4. Risk assessment: Classify each risk by probability (low, medium, high) and impact (minor, significant, severe).
5. Mitigation measures: For each identified risk, define technical or organizational controls (encryption, access control, training, internal policies).
6. Conclusion and action plan: If residual risk remains high after measures, you must conduct prior consultation with the AEPD (Art. 36).

Verification Checklist for the Firm

Before starting any significant new processing operation, verify: Have I fully described and documented the processing? Is there a clear legal basis (Art. 6)? Am I complying with data minimization? Have I assessed whether a DPIA is needed? Have I identified specific risks to data subjects? Have I defined proportional mitigation measures? Is the residual risk acceptable, or must I consult the AEPD?

Prior Consultation (Art. 36 GDPR)

If after applying all mitigation measures the residual risk remains high, the controller must consult the AEPD before starting the processing. The AEPD has 8 weeks (extendable to 14) to issue its opinion. In practice, prior consultation is very rare: the need for it indicates that the processing requires significant redesign.