Data Protection Impact Assessment (DPIA)

Overview

A Data Protection Impact Assessment (DPIA) is a structured, written analysis a controller performs before engaging in processing that poses a meaningful risk of harm to consumers. The DPIA weighs the benefits of the activity (to the business, the consumer, and other stakeholders) against the potential risks to the rights and freedoms of the data subject, and documents the safeguards applied to mitigate those risks.

The concept originates in GDPR Article 35 but has been adopted — with variations — by nearly every US state privacy law. In the US context, DPIAs are internal documents retained for attorney-general review rather than submissions filed with a regulator. They become discoverable during enforcement actions and serve as evidence of the controller's good-faith compliance posture.

DPIAs are not a one-time artifact. They must be revisited when the processing materially changes (new data categories, new vendors, a new purpose) and retained for the duration of the processing plus a reasonable look-back window — typically 3 to 5 years.

When It Applies

A DPIA is triggered when the controller engages in any of the following high-risk processing activities:

• Targeted advertising based on cross-context behavioral inferences
• Sale of personal data (see Sale of Personal Information)
• Profiling that produces legal or similarly significant effects
• Processing of sensitive personal information — health, biometric, genetic, precise geolocation, racial or ethnic origin, sexual orientation, immigration status (see Sensitive Personal Information)
• Processing of children's data (under 13 universally; under 16 or 17 in several states)
• Any processing that presents a heightened risk of harm — a catch-all that regulators increasingly apply to algorithmic decision-making, emotion recognition, and large-scale surveillance

Variations Across Jurisdictions

The GDPR baseline (Article 35) remains stricter than any individual US law: it requires consultation with the supervisory authority when residual risks remain high after mitigation. No US law currently imposes a regulator-consultation step, though California's CPPA has signaled it may require submission of risk assessments upon request.

How Inori Handles This

Inori is a B2B COI-tracking platform operating on behalf of commercial real estate controllers. When Inori processes vendor and tenant data that qualifies as "sensitive" under applicable law (for example, government-ID numbers captured in certain insurance filings), it maintains internal DPIA records under the processor framework described in src/content/legal/privacy.mdx v1.2.

Key grounding points in the codebase:

• Data inventory — src/lib/privacy/data-inventory.ts enumerates every category collected, retained, and shared, feeding the DPIA template.
• Purpose limitation — the consent gate in src/middleware.ts and notification_preferences.analytics_opt_out enforce the declared purposes.
• Retention — the hard-purge cron (src/app/api/cron/hard-purge-deleted-accounts) implements the "storage limitation" safeguard with a 90-day floor.
• DSAR fulfillment — src/app/api/dsar/ evidences the controller's ability to honor access, deletion, and correction requests, which is a required DPIA safeguard.

Customers acting as controllers inherit Inori's DPIA inputs through the DPA and can append them to their own assessments.

Related Concepts

Start with Data Processing Agreement to understand how DPIA inputs flow between controller and processor. If the processing touches sensitive categories, consult Sensitive Personal Information. For algorithmic decision-making triggers, see Profiling Opt-out.