DPIA
Data Protection Impact Assessment.

Data Protection Impact Assessment for new projects, AI systems, sensitive data processing, third-party data sharing and systematic monitoring. Methodology per Amendment 13, Israeli Privacy Authority opinions, and GDPR Article 35. Deliverable: a written DPIA report, risk matrix, prioritized mitigations, and a decision on Authority consultation.

When needed

Six situations requiring DPIA

AI for automated decisions

A system that makes decisions about people: candidate screening, credit approval, risk scoring, profiling. DPIA mandatory even mid-size.

Sensitive data at scale

Medical data, data on minors, intimate surveys, location data, sexuality, religion. Amendment 13 + 2026 Authority guidance.

Systematic monitoring of public space

City CCTV, sensors, customer behavior analysis, employee monitoring. Touches Privacy by Design principles.

Data sharing with third party

Database transfer to a new vendor, integration with external system, sharing customer records with a business partner, cross-border transfer.

New employee-facing system

Productivity monitoring, employee health system, new payroll system, biometric security system.

M&A and exit

When data transfers between entities — DPIA finds privacy risks not considered in the deal.

Process

Six steps from kick-off to report

01

Scope definition

A 90-minute kick-off with project lead, IT, legal. What is the system? What is the data flow? Who are the users? What is the business risk?

02

Data and processing map

What data is collected? Why? From where? To where? Legal basis? Retention? Data subjects? Third parties?

03

Risk matrix

For each data flow — what can go wrong? At what probability and severity? Result: a visual matrix.

04

Mitigations

For each risk — controls that reduce it? Privacy by Design (Pseudonymization, Minimization, local storage, role-based access).

05

Authority consultation

If residual risk is still high — Amendment 13 requires consultation with the Israeli Privacy Authority before processing begins. We manage the process.

06

Final DPIA report

Written document (20-40 pages), matrices, decisions, mitigation plan, update date. Signed by the database owner and DPO.

Special case

DPIA for AI — what's different

Explainability

How does the system make decisions? Can a data subject request an explanation? Is there a right of appeal?

Bias

Is the model trained on representative data? Unfair results for specific groups? How is it measured?

Minimization in models

Is all input data necessary? Can synthetic or pseudonymized data be used?

Data transfer to foundation models

OpenAI, Claude, Gemini, others — where is data processed? Is there a Data Processing Addendum? Is the data used for training?

Human in the loop

Does every automated decision pass human review? If not — a special legal basis is required under Amendment 13.

Prompt and log retention

Prompts contain personal data — how are they stored? For how long? Who has access?

Frequent questions about DPIA

When is DPIA mandatory?

In Israel after Amendment 13: when processing sensitive data at scale, systematic monitoring of public space, or automated decisions with significant impact on data subjects (including AI). 2026 Authority guidance expanded the requirement to AI projects. Under GDPR — per Article 35 and the EDPB list.

How long does a DPIA take?

Focused project DPIA — 3-5 weeks from kick-off to final report. Wide DPIA (AI platform, central organizational system) — 8-12 weeks.

What is the difference between DPIA and PIA?

Basically the same. DPIA is the GDPR term, PIA (Privacy Impact Assessment) is the older term. Both used in Israel — but recommend DPIA template, which also fits emerging cross-border obligations.

Do you have a template?

25-page internal template, in Hebrew and English, calibrated for Amendment 13 and GDPR. We tailor it per client — but don’t start from a blank page.

What if Authority consultation is required?

If residual risk after mitigation is still high — Amendment 13 requires consultation with the Authority before processing. We prepare the submission, draft the materials, and lead the dialogue. The Authority typically responds within 8-12 weeks.

How much does it cost?

Project DPIA — 6,000-15,000 ILS per assessment. Complex DPIA for an organizational system or large AI — 15,000-35,000 ILS. With DPO as a Service retainer, some DPIAs are included in higher tiers.

Got a project that needs DPIA?

30-minute call, quote within 48 hours, kick-off within two weeks.

Discuss a project