← Back to blog Compliance

DPIA: what it is and when a Data Protection Impact Assessment is mandatory.

For high-risk processing, the impact assessment stops being optional. Here is what a DPIA is, when it is triggered, what it must contain and how to carry it out — without turning it into an endless formality.

Published Jun 2026 · Updated 2026 · 8 min read
DPIA · Law 21.719

The essentials in 30 seconds

  • A DPIA (EIPD in Chile) is a prior analysis of the risks a processing activity poses to people.
  • It is mandatory for high-risk processing: large-scale sensitive data, profiling, systematic monitoring, automated decisions, new technologies.
  • It is carried out before starting the processing, not afterward.
  • It must be documented and reviewed whenever the processing changes.
  • It is part of proactive accountability and builds on your RoPA.

Not every processing activity requires an impact assessment — but those that do require it before they begin, and omitting it is a gap that weighs heavily in an inspection. The good news: when properly focused, a DPIA is a decision-making tool, not a formality. If you do not yet have the big picture, start with the definitive guide to Law 21.719.

What a DPIA is

The Data Protection Impact Assessment —DPIA, known in Chile as EIPD (Evaluación de Impacto en Protección de Datos)— is a prior analysis that serves to anticipate and mitigate the risks that a processing activity may pose to people's rights. Instead of discovering the problem once it has already happened, the DPIA forces you to think it through beforehand: what could go wrong for data subjects and how do we prevent it?

When is it mandatory?

The DPIA is triggered when a processing activity may involve a high risk to data subjects' rights. These are the typical scenarios:

SituationDoes it require a DPIA?
Large-scale processing of sensitive data (health, biometrics…)Yes
Systematic observation or monitoring of peopleYes
Profiling and automated decisions with significant effectsYes
Use of new technologies with a privacy impactYes
Massive cross-referencing or combination of databasesVery likely
Routine, low-volume, low-risk processingGenerally not

When in doubt, carrying out the DPIA is the prudent choice: the cost of assessing it is low compared to that of a high-risk processing activity with no analysis. Sectors such as healthcare and banking need it frequently.

What a DPIA must contain

  • Description of the processing: what data, about whom, for what purpose and by what means.
  • Necessity and proportionality: is it really necessary to process that data for that purpose? is there a less invasive route?
  • Identification of risks to data subjects' rights (improper access, loss, misuse, discrimination).
  • Mitigation measures: technical and organizational controls to reduce each risk.
  • Conclusion and follow-up: whether the residual risk is acceptable and how it will be reviewed over time.

How to carry it out step by step

  1. Identify whether it is triggered: use the table above when designing a new processing activity or reviewing an existing one in your RoPA.
  2. Describe the processing in detail (data flows, systems, third parties).
  3. Assess necessity and proportionality: discard data or purposes that add nothing.
  4. Map the risks and their likelihood and impact.
  5. Define mitigation measures and recalculate the residual risk.
  6. Document and decide: if the residual risk remains high, revisit the design before moving forward.
  7. Review the DPIA whenever the processing changes.

Common mistakes

  • Doing it at the end, once the system is already built. The DPIA is privacy by design: it goes at the start.
  • Treating it as a form to fill in, without real decisions about the design of the processing.
  • Not involving IT and legal together: the risk is technical and legal at the same time.
  • Not reviewing it when the purpose changes or a new vendor is added.

Do you have high-risk processing that has not been assessed?

We help you identify which activities require a DPIA and carry them out with a focus on decisions, not paperwork. A 30-minute assessment, no obligation.

Schedule an assessment

Frequently asked questions

What is a DPIA?

A Data Protection Impact Assessment (DPIA, known in Chile as EIPD) is a prior analysis that identifies and mitigates the risks that a processing activity may pose to people's rights. It is carried out before starting high-risk processing.

When is it mandatory?

When a processing activity may involve a high risk: large-scale sensitive data, systematic monitoring, profiling, automated decisions with significant effects, or the use of new technologies. When in doubt, carrying it out is the prudent choice.

What must it contain?

A description of the processing and its purpose, an assessment of necessity and proportionality, the identification of risks to data subjects, mitigation measures and conclusions with follow-up.

Who carries it out?

The data controller, ideally with the Data Protection Officer (DPO) if one exists, and with the support of the technical and legal teams. It must be documented and reviewed whenever the processing changes.

Written by

The AlayIAtrust team

A team of lawyers and consultants specializing in personal data protection and compliance with Law 21.719 in Chile.

You may also be interested in

Compliance

Record of Processing Activities (RoPA): what it is and how to build it

 Governance

Is a DPO mandatory in Chile? The Data Protection Officer

 Compliance

Law 21.719 compliance checklist: the 10 fronts to close
Next step

Is your company ready
for December 2026?

A no-obligation 30-minute assessment.

Request an assessment