Table of Contents
The Data Protection Impact Assessment Report (RIPD), Also known as Data Protection Impact Assessment (DPIA)This is a fundamental document in which companies demonstrate all the personal information they collect, process, use, and share, as well as the measures adopted to mitigate risks that may affect the civil liberties and fundamental rights of the data subjects.
Whether or not the preparation of a Data Protection Impact Assessment (DPIA) is mandatory is linked to the risks that the company's data processing activity presents.
Furthermore, the preparation of the RIPD (Recovery and Impact Assessment of Personal Data) constitutes a good practice on the part of the organization to reduce the risks involved in a given personal data processing operation.
In what context does the ANPD recommend that the RIPD be prepared?
As a general rule, the preparation of the Data Protection Impact Assessment (DPIA) is recommended in any context where personal data processing operations may generate a high risk to the guarantee of the general data protection principles foreseen in the LGPD (Brazilian General Data Protection Law). However, the LGPD also lists some other specific situations in which the DPIA may be required by the ANPD (National Data Protection Authority), see below:
- In data processing operations carried out exclusively for purposes of public security, national defense, state security, or activities related to the investigation and repression of criminal offenses (Article 4, § 3);
- When the treatment is based on the hypothesis of legitimate interest (art. 10, § 3º);
- For public officials, including determinations regarding the publication of the RIPD (art. 32);
- For controllers in general, regarding their processing operations, including those involving sensitive personal data (art. 38).
Therefore, there will be situations in which the controller will prepare the RIPD to comply with the ANPD's determination or, in accordance with the principle of accountability and transparency (art. 6, X).
When is it necessary to prepare a Data Protection Impact Assessment?
It is recommended that the controller prepare the Data Protection Impact Assessment (DPIA) before initiating the processing of personal data for a specific purpose. This way, the controller can understand in advance what problems may arise and identify the likelihood of each risk factor occurring, as well as its impact on the fundamental rights and freedoms of data subjects. Appropriate mitigation measures and mechanisms can then be adopted for each specific situation.
The RIPD has already been prepared, so what now?
After the Data Protection Impact Assessment is prepared, the controller must evaluate the feasibility of continuing with the personal data processing activities that led to the creation of the report or determine whether it is necessary to make modifications to the way the data is processed.
The data controller will follow the recommendations of the RIPD (Data Protection Regulatory Authority). Especially those adopted by the controller regarding the implementation of measures, safeguards, and risk mitigation mechanisms.
Finally, it is advisable for the controller to conduct regular reviews of the RIPD, especially when new events occur that may justify changes to the identified risks, such as changes in processing operations, the identification of new risk factors, the worsening of previously identified risk factors, or in response to new regulations or guidelines issued by the ANPD.
In summary, in an increasingly data-driven world, the proper development and implementation of the RIPD (Data Protection Impact Assessment) are essential to protect the fundamental freedoms and rights of data subjects and ensure compliance with the LGPD (Brazilian General Data Protection Law).
Therefore, awareness and continued adherence to these practices are crucial for maintaining the integrity and security of personal data.
