Data Protection Impact Assessment (DPIA) under the Brazilian law

Under the new Brazilian Data Protection Law (LGPD), data controllers are required to comply with a number of mandatory obligations. 

A DPIA is performed in order to assess “the risk of data processing activities to the fundamental rights and liberties of data subjects in specific circumstances” (Article 5, XVII LGPD). Even if the new LGPD requires data controllers to comply with this obligation, specific instructions concerning how to perform a DPIA and when this assessment is required have not been established yet. 

Article 38, for instance, only specifies that the performance of DPIAs might be requested by the Brazilian Data Protection Authority (ANPD). Moreover, Article 10 LGPD states that “The national authority may request the controller a data protection impact assessment, when processing is based on her/his legitimate interest, being observed commercial and industrial secrecy.”

What should a DPIA contain?

The ANPD has not published guidelines and regulations on DPIAs providing for additional information yet. At this moment, only Articles 5 and 38 LGPD briefly refer to what should be contained therein: 

1. Description of the proceedings of processing of the personal data that could impose risks to civil liberties and fundamental rights;
2. Description of the types of data processed;
3. Means used to collect personal data;
4. Measures and safeguards implemented to protect personal data;
5. Mechanisms to mitigate risks.

It is also recommended to always include the identification of the Data Protection Officer in order to provide the authority with a direct point of contact.

Given the importance of these assessments, which are also found in other important data protection laws such as, for instance, the GDPR, we can derive important information on how a DPIA should be carried out and the standard situations in which such an assessment is likely to be mandatory.

Scenarios that usually entail a high risk to data subjects

• Processing of personal data through innovative technologies or automated decision-making processes;
• Processing of sensitive personal data or personal data relating to minors;
• Tracking of geolocation or data subjects’ behaviour profiling.

Considering the complexity of this assessment and the fact that direct action by the ANPD to further regulate the matter is still awaited, it is always advisable to rely on experienced data protection consultants.