# DPIA Guide — Data Protection Impact Assessment | When, How, What It Includes

> Practical guide to DPIA (Data Protection Impact Assessment) — when mandatory, how to conduct, what it includes, and when Authority consultation is required. With examples for AI, CCTV monitoring, medical data processing, and profiling platforms. Per Amendment 13 + GDPR Article 35 + Israeli Privacy Authority opinions.

**Canonical:** https://dpoisrael.com/en/learn/dpia-guide/  
**Locale:** en-IL

---
**DPIA** (Data Protection Impact Assessment) is the legal instrument that examines a project / system / processing _before you start_. When mandatory, how to conduct, what it includes, and when Authority consultation is required — with examples from AI, CCTV, medical data, and profiling. Per Amendment 13 + GDPR Article 35 + Israeli Privacy Authority opinions.

## DPIA in brief

- **What it is:** Data Protection Impact Assessment
- **When mandatory:** Processing with high privacy risk
- **Legal basis:** Amendment 13 + GDPR Art. 35
- **Focused DPIA duration:** 3-5 weeks
- **Complex DPIA duration:** 8-12 weeks
- **Price:** 6,000-35,000 ILS
- **Who performs:** DPO / external / team independent of project
- **Authority consultation:** If residual risk still high

## What is a DPIA

**DPIA** (Data Protection Impact Assessment) is a structured process to evaluate the privacy impact of a project / system / processing on data subjects. It identifies risks in advance, proposes mitigations, and documents decisions. **PIA** (Privacy Impact Assessment) is an older synonym — same thing in practice.

## When mandatory

Amendment 13 mandates DPIA for processing "with high risk to privacy". This includes: sensitive data processing at scale; systematic public-space monitoring; automated decisions with significant impact on individuals (including AI); third-party sharing at scale; new technologies. 2026 Authority guidance expanded the requirement to AI and cross-border data processing.

## GDPR relationship

GDPR Article 35 imposes a similar obligation, with a specific EDPB list. In most cases, a project requiring DPIA under Amendment 13 also requires it under GDPR — and one assessment serves both. In both frameworks, the assessment is required _before_ processing begins.

## Steps — what you actually do

Six steps: (1) **Scope definition** — which project, which database, who are users; (2) **Data flow mapping** — from where, to where, to which vendor, cross-border?; (3) **Risk identification** — what can go wrong, at what probability and severity; (4) **Mitigations** — what controls can reduce; Privacy by Design (Pseudonymization, Minimization, Encryption, Access Control, short retention); (5) **Residual risk** — after everything, is risk acceptable? If not — Authority consultation; (6) **Documentation and decision** — formal report, signed, with update date.

## What the report includes

A good DPIA report is 20-40 pages, containing: system and processing description; purpose and legal basis; data flow diagram; risk matrix; mitigations per risk; residual risk assessment; decision (proceed, modify, consult); stakeholder approval documentation; and update date.

## Authority consultation

When residual risk after mitigation is still high — Amendment 13 requires consultation with the Israeli Privacy Authority before processing begins. The submission is drafted by the DPO, includes all documentation, and is filed through an online system. Authority typically responds within 8-12 weeks, sometimes asking for clarifications.

## DPIA for AI systems

AI systems require an expanded DPIA. Beyond standard topics, a layer of questions: (a) Explainability — can the system explain decisions?; (b) Bias — is the model trained on representative data?; (c) Human in the loop — does every automated decision pass human review?; (d) Data transfer to foundation models (OpenAI, Claude, Gemini) — where processed, is it used for training; (e) Prompt and log retention period.

## DPIA for monitoring (CCTV, location)

Public CCTV systems, employee monitoring, location apps, store behavior analytics — require DPIA. Questions: who are subjects? Is there signage? Proportionate purpose? Retention period? Controlled access? Automated actions (face recognition, plate recognition)? Every "yes" raises the risk level.

## Who performs — DPO, external consultant, or internal team

In an organization with internal DPO — they lead. Without internal DPO — external consultant (like us). In small organization — sometimes by "privacy team" including project manager, IT, legal. Criterion: _performer’s independence from the specific project_. Project owner cannot be the assessor.

## Frequent questions about DPIA

### DPIA only for large organizations?

No. A 20-employee startup launching a new AI product — needs DPIA. Criterion is **processing type**, not organization size. 10,000-employee organization holding only basic employee file — usually not. 30-employee organization launching employee-monitoring product — needs it.

### How much does DPIA cost?

Focused DPIA for single project — 6,000-15,000 ILS. Wide DPIA for central organizational system or large AI — 15,000-35,000 ILS. With [DPO as a Service](/en/services/dpo), some DPIAs included in retainer.

### How long does it take?

Focused DPIA — 3-5 weeks. Complex DPIA — 8-12 weeks. If Authority consultation required — add 8-12 more weeks.

### What if we didn’t do DPIA and Authority found out?

Authority may require retroactive DPIA + processing suspension until completion + financial sanction. In severe cases — also lawsuits from those harmed. Better late DPIA than none.

### Do you have a template?

We have an internal 25-page template, Hebrew and English, calibrated for Amendment 13 and GDPR. We tailor per client — but don’t start blank. If interested in template only (no execution) — purchasable as separate product.

### Difference between DPIA and Risk Assessment?

DPIA focuses on **privacy risks to data subjects** — are their rights affected? Risk Assessment focuses on **business risks to organization** — can org lose? Both complement. DPIA captures "outside in" (harm to people), Risk Assessment captures "inside out" (harm to org).

## Got a project that needs DPIA?

30-minute call, quote within 48 hours, kick-off within two weeks.

[DPIA service details](/en/services/dpia)