Data Protection Impact Assessment Guideline

On January 28, 2020, Data Protection Day, the Data Protection Impact Assessment Guideline (the ‘DPIA’) was published. It is the result of joint work between the Argentine Agency of Access to Public Information and the Uruguayan Regulatory and Personal Data Control Unit, national agencies in charge of enforcing data protection and privacy in both countries. It is worth noting that the need to conduct privacy impact assessement is incorporated in  Uruguayan law, while they are not in  Argentine (although it has been included in the Bill pending before Congress [more information on this here]).

The aim of the DPIA is to guide not only public organizations but also private companies from an early stage, to identify risks in the processing of personal data that may occur during their usual activities and projects and be able to minimize the potential negative effects that may arise from those activities or projects. Therefore, the DPIA purports to reinforce the data protection principles and to guide the data controller towards compliance. The DPIA is aimed at large companies and also tech start-ups and other small businesses.

The DPIA is divided into 6 evaluation stages which comprise from the identification of the key people in the potential processing of personal data to detection of the risks. In each of the stages, the data controller is urged to carry out partial reports that could later be included in a final report which will describe the foreseen actions and the results achieved.

The DPIA highlights the importance of keeping a record and being aware of the evaluation process of the DPIA in an auditable and thorough manner. Moreover, it is recommended that the data controller publishes a copy of the final report on its website or makes it available upon request, redacting any confidential information if applicable.