# DPIA — Data Protection Impact Assessment | Israel + GDPR Article 35 > Data Protection Impact Assessment (DPIA / PIA) for new projects, AI systems, sensitive data processing and third-party sharing. Workshop with project owners, risk matrix, mitigation measures, documentation, Authority consultation if required. Methodology per Amendment 13 + GDPR Article 35 + Israeli Privacy Authority opinions. **Canonical:** https://dpoisrael.com/en/services/dpia/ **Locale:** en-IL --- Data Protection Impact Assessment. **Data Protection Impact Assessment** for new projects, AI systems, sensitive data processing, third-party data sharing and systematic monitoring. Methodology per **Amendment 13**, Israeli Privacy Authority opinions, and **GDPR Article 35**. Deliverable: a written DPIA report, risk matrix, prioritized mitigations, and a decision on Authority consultation. ## DPIA — how it works - **Duration:** 3-12 weeks by scope - **Price range:** 6,000-35,000 ILS by complexity - **Fits:** AI projects, organizational systems, monitoring, sharing - **Methodology:** GDPR Art. 35 + Amendment 13 + Authority guidance - **Deliverable:** 20-40 page report, risk matrices, mitigations, decision - **Sign-off:** Database owner + DPO + project lead - **Validity:** Until significant change in processing - **Authority consultation:** If required — we manage the process ## Six situations requiring DPIA ### AI for automated decisions A system that makes decisions about people: candidate screening, credit approval, risk scoring, profiling. DPIA mandatory even mid-size. ### Sensitive data at scale Medical data, data on minors, intimate surveys, location data, sexuality, religion. Amendment 13 + 2026 Authority guidance. ### Systematic monitoring of public space City CCTV, sensors, customer behavior analysis, employee monitoring. Touches Privacy by Design principles. ### Data sharing with third party Database transfer to a new vendor, integration with external system, sharing customer records with a business partner, cross-border transfer. ### New employee-facing system Productivity monitoring, employee health system, new payroll system, biometric security system. ### M&A and exit When data transfers between entities — DPIA finds privacy risks not considered in the deal. ## Six steps from kick-off to report 01 ### Scope definition A 90-minute kick-off with project lead, IT, legal. What is the system? What is the data flow? Who are the users? What is the business risk? 02 ### Data and processing map What data is collected? Why? From where? To where? Legal basis? Retention? Data subjects? Third parties? 03 ### Risk matrix For each data flow — what can go wrong? At what probability and severity? Result: a visual matrix. 04 ### Mitigations For each risk — controls that reduce it? Privacy by Design (Pseudonymization, Minimization, local storage, role-based access). 05 ### Authority consultation If residual risk is still high — Amendment 13 requires consultation with the Israeli Privacy Authority before processing begins. We manage the process. 06 ### Final DPIA report Written document (20-40 pages), matrices, decisions, mitigation plan, update date. Signed by the database owner and DPO. ## DPIA for AI — what's different ### Explainability How does the system make decisions? Can a data subject request an explanation? Is there a right of appeal? ### Bias Is the model trained on representative data? Unfair results for specific groups? How is it measured? ### Minimization in models Is all input data necessary? Can synthetic or pseudonymized data be used? ### Data transfer to foundation models OpenAI, Claude, Gemini, others — where is data processed? Is there a Data Processing Addendum? Is the data used for training? ### Human in the loop Does every automated decision pass human review? If not — a special legal basis is required under Amendment 13. ### Prompt and log retention Prompts contain personal data — how are they stored? For how long? Who has access? ## Frequent questions about DPIA ### When is DPIA mandatory? In Israel after Amendment 13: when processing sensitive data at scale, systematic monitoring of public space, or automated decisions with significant impact on data subjects (including AI). 2026 Authority guidance expanded the requirement to AI projects. Under GDPR — per Article 35 and the EDPB list. ### How long does a DPIA take? Focused project DPIA — 3-5 weeks from kick-off to final report. Wide DPIA (AI platform, central organizational system) — 8-12 weeks. ### What is the difference between DPIA and PIA? Basically the same. **DPIA** is the GDPR term, **PIA** (Privacy Impact Assessment) is the older term. Both used in Israel — but recommend DPIA template, which also fits emerging cross-border obligations. ### Do you have a template? 25-page internal template, in Hebrew and English, calibrated for Amendment 13 and GDPR. We tailor it per client — but don’t start from a blank page. ### What if Authority consultation is required? If residual risk after mitigation is still high — Amendment 13 requires consultation with the Authority before processing. We prepare the submission, draft the materials, and lead the dialogue. The Authority typically responds within 8-12 weeks. ### How much does it cost? Project DPIA — 6,000-15,000 ILS per assessment. Complex DPIA for an organizational system or large AI — 15,000-35,000 ILS. With [DPO as a Service](/en/services/dpo) retainer, some DPIAs are included in higher tiers. ## Got a project that needs DPIA? 30-minute call, quote within 48 hours, kick-off within two weeks. [Discuss a project](/en/contact)