Data Protection Impact Assessment — concept, objectives and regulatory framework.
Concept provided for in Article 35 of the GDPR and mandatory since 2018.
The Data Protection Impact Assessment (DPIA), also designated as Avaliação de Impacto sobre a Protecção de Dados (AIPD) in Portuguese, is a structured process that allows identifying, analysing and evaluating the risks that a given data processing may represent for the rights and freedoms of individuals.
As established in Article 35(1) of the GDPR, "where a type of processing in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing on the protection of personal data".
DPIA is not an end in itself, but a risk management tool that aims to:
DPIA pursues multiple complementary objectives within the framework of GDPR compliance.
Ensure that processing is appropriate to the principles and requirements of the GDPR, especially Articles 5, 32 and 35.
Systematically identify and evaluate risks to the rights and freedoms of data subjects.
Document in a structured manner the measures adopted to ensure compliance (accountability).
Inform the Supervisory Authority about high-risk processing before its implementation (Article 36).
DPIA is part of an ecosystem of impact assessment tools. Learn the differences.
| Instrument | Scope | Framework | Portal |
|---|---|---|---|
| DPIA | Personal data, privacy | GDPR (Article 35) | dpia.pt |
| FRIA | Financial regulation | Financial Law (CVM) | aidf.pt |
| CSIA | Industrial cybersecurity | NIS 2 Directive (2022/2555) | aics.pt |
| IA | Regulatory impact of policies | Regulatory Impact Law | impactoregulatorio.pt |
Although using similar risk assessment methodologies, each tool responds to distinct regulatory objectives and legal contexts.
DPIA is an innovation of the GDPR, with mandatory application since May 2018.
The General Data Protection Regulation (EU) 2016/679 is adopted, introducing the concept of DPIA in Article 35.
The GDPR becomes applicable and mandatory in all Member States. DPIA becomes mandatory for high-risk processing.
The European Data Protection Board publishes the impact assessment opinion (WP248), establishing 9 risk assessment criteria.
National Supervisory Authorities provide guidance and recommendations on DPIA requirements in their jurisdictions.
DPIA is the responsibility of the Data Controller, with involvement of the Data Protection Officer.
The legal obligation to conduct DPIA falls on the data controller. They may delegate execution but remain responsible for the results.
When designated (mandatory for public authorities), the DPO plays a central role in guiding, reviewing and approving the DPIA. See full DPO role →
DPIA should involve specialists in IT, security, compliance, legal and operational areas as appropriate.
In certain cases, the controller must consult the Supervisory Authority before implementation.
Article 36 of the GDPR establishes that when a DPIA indicates a high risk that the controller cannot adequately mitigate, they must consult the Supervisory Authority before proceeding with the processing.
In Portugal, the national Supervisory Authority maintains a list of processing that requires mandatory prior consultation. Failure to consult when required can result in administrative sanctions.
You now understand the concept of DPIA. Learn when it is mandatory and how to conduct it.
Audiqcer offers professional DPIA conducting, reviewing and training services.
Fill the form to receive personalised information about your DPIA needs.