Home · Synthesis · cl-gdpr-dpia-art35

GDPR Article 35 DPIA + cross-jurisdiction high-risk assessment

CCPA DPDPA EU AI Act GDPR MODPA NIST AI RMF VCDPA

Primary statement

GDPR Article 35 DPIA for high-risk processing + Article 36 prior consultation. DPDPA Rule 13(2) annual SDF DPIA. CCPA Reg 7150 risk assessment. MODPA data protection assessment. EU AI Act Article 27 FRIA. The DPIA is the gating control for high-risk processing.

Audit-fatigue payoff

A unified impact assessment template covering GDPR Art 35 + DPDPA DPIA + CCPA Reg 7150 + MODPA 14-4607 + EU AI Act FRIA satisfies the impact assessment requirement across all 7 contributing frameworks.

Strictness matrix

Scope

Scope: processing likely to result in HIGH RISK to the rights and freedoms of natural persons triggers DPIA. Per Art. 35(3) explicit triggers: systematic + extensive evaluation; large-scale special category; large-scale public area monitoring. Ceiling source: gdpr:Art.35 Rationale: GDPR Art 35(3) high-risk scope is the audit-defensible specification.

Threshold

Threshold: where DPIA indicates HIGH residual risk despite mitigations, prior consultation with supervisory authority required. The residual-risk threshold drives external escalation. Ceiling source: gdpr:Art.36 Rationale: GDPR Art 36 prior consultation threshold is uniquely strict.

Method

Method: systematic description of processing + necessity assessment + risk to rights and freedoms + mitigations + DPO consultation + data subject consultation where appropriate + supervisory authority consultation if high residual risk. Ceiling source: gdpr:Art.35 Rationale: GDPR Art 35 method is the canonical DPIA specification.

Frequency

DPIA cadence: per high-risk processing activity + annual for SDFs per DPDPA Rule 13(2). MODPA + CCPA per processing activity at inception + on material change. Ceiling source: dpdpa:DPDP.20 Rationale: DPDPA annual SDF DPIA is the strictest periodic cadence.

Evidence

Evidence: DPIA per high-risk processing + supervisory consultation records where applicable + DPO advice + Board / executive sign-off + linkage to risk register. Ceiling source: gdpr:Art.35 Rationale: GDPR Art 35 evidence is the canonical DPIA package.

Auditor test pattern

Step 1: Inspect DPIA register. Step 2: Sample one high-risk DPIA. Step 3: Verify DPO advice incorporated. Step 4: For high residual risk, verify Art 36 prior consultation. Step 5: For SDFs, verify annual DPIA per Rule 13(2).

Common findings

Common findings: (1) DPIA exists for original processing but not refreshed on material change; (2) DPO advice formal not substantive; (3) Art 36 prior consultation skipped despite high residual risk; (4) Annual SDF DPIA absent.