Home · Synthesis · cl-dpia-impact-assessment

Data Protection Impact Assessment / risk assessment for high-risk processing

GDPR CCPA MODPA EU AI Act CSA CCM v4 ISO 42001

Primary statement

Impact assessment for high-risk processing: GDPR Art 35 + 36 + CCPA Reg 7150 (effective Jan 2026, attestation Apr 2028) + MODPA 14-4607 + EU AI Act Art 27 FRIA + CSA cloud + ISO 42001 AI impact. A unified DPIA-equivalent artefact captures all regimes through structured per-regime fields.

Audit-fatigue payoff

A unified DPIA template covering GDPR Art 35 + DPDPA SDF DPIA + CCPA Reg 7150 + MODPA 14-4607 + EU AI Act Art 27 FRIA + ISO 42001 AISIA satisfies impact assessment across all 6 contributing frameworks. One artefact, multiple regimes.

Strictness matrix

Scope

Scope: processing likely to result in high risk to rights and freedoms (GDPR) + sale/sharing/SPI/profiling (CCPA Reg 7150) + heightened risk of harm (MODPA) + high-risk AI (EU AI Act Art 27). Combined scope. Ceiling source: gdpr:Art.35 Rationale: GDPR Art 35 is the foundational scope; CCPA + MODPA + EU AI Act extend.

Threshold

Threshold: high residual risk after mitigations triggers supervisory authority consultation (GDPR Art 36). Ceiling source: gdpr:Art.36 Rationale: GDPR Art 36 prior consultation threshold is uniquely strict.

Method

Method: unified DPIA template covering systematic description + necessity assessment + risk assessment + mitigations + DPO consultation + per-regime additional fields (CCPA Reg 7150 attestation prep + MODPA 14-4607 health data + EU AI Act Art 27 FRIA six elements). Ceiling source: gdpr:Art.35 Rationale: GDPR Art 35 + per-regime extensions form the unified method.

Frequency

Per high-risk processing at inception + on material change. CCPA Reg 7150 annual attestation (from Apr 2028). MODPA per processing activity. Ceiling source: gdpr:Art.35 Rationale: Per-processing + annual CCPA attestation is the audit-defensible cadence.

Evidence

Evidence: DPIA per high-risk processing + per-regime additional fields + supervisory consultation records + DPO advice + annual CCPA attestation prep. Ceiling source: gdpr:Art.35 Rationale: GDPR Art 35 unified-template evidence is comprehensive.

Auditor test pattern

Step 1: Inspect unified DPIA template. Step 2: Sample one high-risk processing DPIA. Step 3: Verify per-regime fields populated. Step 4: For high residual risk, verify Art 36 consultation. Step 5: Verify CCPA Reg 7150 attestation prep underway.

Common findings

Common findings: (1) DPIA covers GDPR but misses MODPA / CCPA / EU AI Act fields; (2) Per-regime fields theoretical, not substantive; (3) Annual CCPA attestation prep not started; (4) DPO advice formal not substantive.