Keywords
Data Protection Impact Assessment (RIPD)
high risk
How to Cite
Abstract
This study aims to analyze the criteria that determine whether personal data processing requires the preparation of a Data Protection Impact Assessment (RIPD) and its relevance for compliance with the Brazilian General Data Protection Law (LGPD). The RIPD is an essential tool for assessing risks in personal data processing, enabling organizations to identify, measure, and mitigate potential impacts on privacy and security. With the exponential growth of data collection, storage, and processing in digital environments, understanding the legal and methodological requirements involved in its preparation is crucial. The research addresses the key quantitative and qualitative factors that determine the necessity of conducting a RIPD, as well as the practical challenges organizations face in identifying these elements. Additionally, the role of regulatory authorities, such as the Brazilian National Data Protection Authority (ANPD), in overseeing and requiring this document for certain data processing activities is discussed. The study also compares the eligibility criteria for the RIPD with international guidelines, such as those established by the European Union's General Data Protection Regulation (GDPR), aiming to understand similarities, differences, and potential challenges in adapting to the Brazilian context. Finally, the challenges and benefits of implementing the RIPD are analyzed, highlighting its importance in fostering a data protection culture and ensuring greater legal security for companies and institutions engaged in personal data processing.
References
ANPD (Autoridade Nacional de Proteção de Dados). 2022. Resolution CD/ANPD No. 2, of January 27, 2022. Gov.br. Accessed June 21, 2025. https://www.gov.br/anpd/pt-br/documentos-e-publicacoes/regulamentacoes-da-anpd/resolucao-cd-anpd-no-2-de-27-de-janeiro-de-2022.
ANPD (Autoridade Nacional de Proteção de Dados). 2023a. Personal Data Protection Impact Report (RIPD). Gov.br. Accessed June 21, 2025. https://www.gov.br/anpd/pt-br/canais_atendimento/agente-de-tratamento/relatorio-de-impacto-a-protecao-de-dados-pessoais-ripd.
ANPD (Autoridade Nacional de Proteção de Dados). 2023b. Resolution CD/ANPD No. 11, of December 27, 2023. Gov.br. Accessed June 21, 2025. https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-11-de-27-de-dezembro-de-2023-534947737.
ANPD (Autoridade Nacional de Proteção de Dados). 2024. Public Consultation – Guidance on the Processing of High-Risk Personal Data. Gov.br. Accessed June 21, 2025. https://www.gov.br/participamaisbrasil/blob/baixar/48651.
Article 29 Data Protection Working Party. 2017. Guidelines on Data Protection Impact Assessment (DPIA) and Determining Whether Processing Is “Likely to Result in a High Risk” for the Purposes of Regulation (EU) 2016/679. Accessed June 21, 2025. https://ec.europa.eu/newsroom/article29/items/611236.
Barbosa, Elaine Muniz. 2016. “Integration of Social Network Data into Data Warehouses.” Master’s thesis, Federal University of Minas Gerais. Accessed June 21, 2025. http://hdl.handle.net/1843/ESBF-AKUNG3.
Brazil. 2018. Lei No. 13.709, de 14 de Agosto de 2018 (Lei Geral de Proteção de Dados). Accessed June 21, 2025. https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm.
Cabral, Filipe Fonteles. 2019. “The Personal Data Protection Impact Report as an Instrument for Risk Management in the General Personal Data Protection Law.” In Special Notebook: General Data Protection Law (PGPD), 200–211. São Paulo: Revista dos Tribunais.
Dozza, Eleonora Coelho. 2023. “Secondary Use of Personal Data and Its Basis in Legitimate Interest in Post-LGPD Brazil.” Accessed June 21, 2025. https://lume.ufrgs.br/bitstream/handle/10183/264345/001173367.pdf.
European Data Protection Board. 2018. “Endorsement of the Working Party 29 Guidelines on GDPR by the EDPB.” Accessed June 21, 2025. https://www.edpb.europa.eu/news/news/2018/endorsement-gdpr-wp29-guidelines-edpb_en.
Gomes, Maria Cecília O. 2019. “Beyond a ‘Legal Obligation’: What the Benefits and Risks Methodology Teaches Us about the Data Protection Impact Report.” In Digital Law: Contemporary Debates, edited by Ana Paula Lima, Carmina Hissa, and Paloma Mendes Saldanha, 141–153. São Paulo: Revista dos Tribunais.
Gomes, Maria Cecília. 2021. “Data Protection Impact Report: Mandatory for the Processing of Sensitive Data?” In LGPD in Health, edited by Analluza Bolivar Dallari and Gustavo Ferraz Monaco, 263–275. São Paulo: Thomson Reuters Brazil.
Gomes, Maria Cecília. 2022. “Data Protection Impact Report: A Brief Analysis of Its Definition and Role in the LGPD.” Accessed June 21, 2025. https://mariaceciliagomes.com.br/wp-content/uploads/2022/01/Relatorio_de_Impacto_a_Protecao_de_Dados.pdf.
Grasso, Ian Matiello. 2021. “Impact Report on the Protection of Personal Data in the General Data Protection Law: A Trivialization?” Legal Notebooks of the Sorocaba Law School – Digital Law 3 (1): 142–174.
LCNN (National Laboratory for Scientific Computing). 2024. “What Is Personal Data Mapping?” Gov.br. Accessed June 21, 2025. https://www.gov.br/lncc/pt-br/centrais-de-conteudo/campanhas-de-conscientizacao/gestao-de-seguranca-da-informacao/o-que-e-mapeamento-de-dados-pessoais.
Lohmann, Pedro A., and Raphael Carlos Albuquerque. 2021. “Systematic Review for the Data Protection and Privacy Impact Assessment Process.” Unpublished manuscript.
Sturari, Matheus. 2020. “The DPIA in the LGPD: National Interpretation or Trivialization of the Instrument?” LinkedIn, July 22, 2020. Accessed June 21, 2025. https://www.linkedin.com/pulse/o-dpia-na-lgpd-interpretação-nacional-oubanalização-do-matheus/.
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Copyright (c) 2025 Rainier Garacis