Skip to Content
Resource Center

Understanding Data Privacy Impact Assessments: Legal Requirements, Risk Assessment, and Best Practices

Jan 28, 2025 - Blog by

Jan 28, 2025 – by Krystle M.D. Dalke

With the arrival of Data Privacy Day, the spotlight shines on the critical importance of safeguarding personal data and adhering to evolving privacy regulations. For privacy officers, attorneys, and executives tasked with steering their organizations through a labyrinth of legal obligations, conducting Data Protection Impact Assessments (DPIAs) is a cornerstone of compliance strategy and risk mitigation. DPIAs, also referred to as Privacy Impact Assessments (PIAs), play a pivotal role in identifying and addressing risks associated with data processing activities. This legal alert highlights U.S. and international requirements for DPIAs, criteria for identifying high-risk activities, and best practices for achieving compliance.

Examples of Legal Frameworks Mandating DPIAs

United States

In the United States, DPIA requirements are fragmented across various federal and state laws:

  1. Federal Trade Commission (FTC): Under Section 5 of the FTC Act, the FTC enforces privacy-related requirements by mandating assessments for companies that process sensitive data or have violated privacy norms.
  2. State Laws: Under the California’s privacy laws (CCPA/CPRA), businesses must conduct risk assessments for processing sensitive personal data or when processing activities present a significant risk to individuals.  New proposed regulations are currently underway by the California Privacy Protection Agency (CPPA) and there will be updates to these requirements in the upcoming months, including the timeframe for businesses to submit their risk assessments to the CPPA.

Most other states with comprehensive privacy laws (e.g. Colorado, Connecticut, Virginia, Texas, Delaware, and Indiana just to name a few) require businesses or controllers to conduct DPIAs or PIAs when a proposed processing activity presents a heightened risk to an individual’s privacy or data.  Such activities include processing sensitive information, use of new or novel technologies, monitoring consumer behavior, profiling or targeted advertising, or use of automated decision-making that may impact certain rights or freedoms.  However, some states’ laws are more prescriptive on certain activities that require a DPIA. 

Data protection assessments are not required under Iowa’s or Utah’s comprehensive privacy laws, but the use of DPIAs or PIAs is considered a best practice for organizations with a focus on protecting their clients’ or customers’ data and privacy interests.  

International Requirements
  1. General Data Protection Regulation (GDPR): Article 35 mandates DPIAs when data processing is likely to result in a high risk to individuals’ rights and freedoms. Examples include profiling, automated decision-making, systematic monitoring, or processing sensitive data at scale.
  2. Brazil’s General Data Protection Law (LGPD): The LGPD requires DPIAs be conducted to evaluate risks to fundamental rights and liberties of data subjects in certain instances, including processing of sensitive data or when the processing activity is based on a legitimate interest.  At a minimum, DPIAs must include a description of the types of data collected, methodologies used for collection and assurance of information security, and the controller’s analysis of adopted measures, safeguards, and risk mitigation mechanisms.
  3. China’s Personal Information Protection Law: Companies that engage in certain types of processing of personal information are obligated to conduct a Personal Information Protection Impact Assessment (PIPIA).  A PIPIA looks similar to a DPIA under the GDPR. The purpose of PIPIA is to evaluate the potential risks and impacts associated with handling personal information, thereby helping organizations identify and address privacy and data protection concerns.  The following activities require a PIPIA: processing sensitive data, using personal information for automated decision-making, entrusting personal information processing to a contractor or other third party, transferring personal information overseas, or other processing activities that have a significant impact on personal rights and interests.
  4. Other Jurisdictions: Nations like Canada, Australia, and Japan also enforce DPIA-like requirements under their respective privacy regulations.
Determining High-Risk Processing Activities

While some privacy laws are fairly explicit on the types of processing activities requiring risk assessments, other privacy laws are less prescriptive regarding high-risk activities or types of processing that may impact fundamental rights or interests.  High-risk activities are those likely to significantly impact the privacy rights of individuals. The GDPR’s criteria, echoed in many laws, include:

  1. Evaluation or Scoring: Profiling for decision-making affecting individuals’ rights or access to services.
  2. Automated Decision-Making: Processing with legal or significant effects.
  3. Systematic Monitoring: Observing public spaces or behaviors at scale.
  4. Sensitive Data: Processing special categories of data, such as health, ethnicity, or political opinions.
  5. Large-Scale Processing: Activities involving significant volumes of data over broad geographic areas.
  6. Vulnerable Data Subjects: Data from children, employees, or individuals in unequal power dynamics.
  7. Innovative Use of Technology: Using new or emerging technologies, such as facial recognition or Internet of Things (IoT) devices, which might involve novel forms of data collection and use.
  8. Matching or Combining Datasets: Merging datasets from different sources, which might exceed individuals’ reasonable expectations of privacy (e.g. combining customer data from various platforms to create detailed profiles).
  9. Data Transfers Across Borders: Transferring data to jurisdictions without adequate data protection standards.
Steps to Conduct a DPIA

Conducting a DPIA involves a systematic approach to identify and mitigate risks associated with data processing activities. Below is a list of key steps:

  1. Identify the Need for a DPIA:  Determine if the processing activity meets the criteria that make a DPIA mandatory. Use tools or checklists (such as the GDPR guidelines) to assess whether the activity is “likely to result in high risk.”
  2. Describe the Processing Activities: It’s important to consider the purpose of the processing by stating the intended benefits, objectives, and outcomes of the data processing.  Outline how data will be collected, used, stored, and deleted. Include the data sources and whether data sharing with third parties is involved. Specify the volume of data, geographical scope, categories of personal data, and retention periods. Describe the relationship with data subjects, expectations of data use, and any prior concerns or issues.
  3. Assess Necessity and Proportionality:  Justify the lawful basis for the processing activity. Ensure the data collected is adequate, relevant, and limited to the intended purpose (data minimization principle). Verify whether the processing aligns with privacy principles and supports individuals’ rights under applicable laws.
  4. Identify and Assess Risks: Identify risks to individuals’ rights and freedoms, such as data breaches, unauthorized access, discrimination, or reputational harm. Estimate the severity and likelihood of each risk to prioritize mitigation efforts. Highlight risks related to regulatory requirements and organizational obligations.
  5. Mitigate Risks: Propose measures to eliminate or reduce identified risks. Examples include: encryption and pseudonymization to protect sensitive data; limiting access to data through role-based controls; or implementing secure deletion practices for data no longer required.  Evaluate the residual risks after mitigation measures are applied.
  6. Document the DPIA: Prepare a detailed report that includes a description of the processing activities, all identified risks and their assessments, proposed mitigation strategies, and the rationale for residual risk acceptance, if applicable.  Ensure the DPIA is accessible for internal teams to review.  Additionally, regulatory agencies may require submissions of DPIA reports post-incident or on an annual basis.
  7. Consult Stakeholders: Engage with relevant internal and external stakeholders, such as data protection officers (DPOs), information security experts, and legal and compliance teams.  Collect feedback from data subjects or representatives when appropriate.
  8. Seek Approval: Once in final form, obtain formal approval of the DPIA findings from the DPO or relevant decision-makers within the organization. If residual risks are significant, consult the supervisory authority before proceeding.
  9. Integrate Findings into Workstreams: Incorporate outcomes of the DPIA into project plans, operational processes, and organizational policies.  Assign clear responsibilities for implementing mitigation measures and monitoring compliance.
  10. Review and Update: Regularly review the DPIA to ensure it remains relevant and accurate, particularly when significant changes occur in the processing activity or new risks emerge due to technological or regulatory developments.
Best Practices for DPIA Implementation

For efficiency, it is important to establish standardized processes by using templates or questionnaires to streamline DPIA preparation. Work to maintain compliance across jurisdictions.  Adapt assessments to meet multiple legal requirements by creating a unified approach based on overlapping criteria in U.S. and international laws.

Integrate DPIAs into project management and product development lifecycles. Align DPIA findings with broader risk management strategies. Involve stakeholders across legal, IT, and operational teams to foster cross-functional collaboration. Regular consultations with the DPO or compliance officer can enhance alignment among multiple departments or projects; in other words, get the complete picture for your organization.

Conclusion

As we navigate the complexities of global data privacy regulations, DPIAs offer a structured approach to compliance and risk reduction. Leveraging DPIAs not only ensures legal adherence, but also reinforces organizational integrity and consumer trust. On this Data Privacy Day, prioritize privacy risk assessments as a key component of your governance strategy.

Hinkle Law Firm is dedicated to helping you achieve privacy compliance, guiding you every step of the way. Our privacy attorneys understand a wide range of privacy laws, cybersecurity best practices, and regulatory priorities. We collaborate with you and your HR or IT teams to assess current cybersecurity measures, recommend ways to mitigate risks, and implement stronger programs and practices.

Ready to enhance your business’s privacy practices or schedule a compliance assessment or training? Contact Krystle Dalke, CIPM and CIPP/US, at 316-631-3181 or kdalke@hinklaw.com.

  • Super Lawyers
  • Best Law Firms
  • ALFA
  • Chambers