Certified Information Privacy Professional (CIPP): Common - Accountability and Governance, DPIA, Privacy Impact Assessments, Records of Processing

CIPP (US?&?EU) – Accountability & Governance
Focus: DPIA, Privacy Impact Assessments, Records of Processing

What This Is

Accountability and governance require organizations to prove that they handle personal data lawfully, fairly, and securely. In practice this means conducting privacy?risk assessments (DPIAs/PIAs) before launching high?risk projects and maintaining formal records of every processing activity. Imagine a multinational retailer that wants to roll out a new AI?driven recommendation engine for its EU?based e?commerce site. Before the algorithm can go live, the retailer must evaluate the impact on EU data subjects, document the processing steps, and be ready to show regulators that the risk has been mitigated. Failure to do so can trigger massive fines under GDPR, CCPA/CPRA, or HIPAA enforcement actions.

Key Terms & Provisions

• Data Protection Impact Assessment (DPIA): Mandatory under GDPR Art.?35 when processing is “likely to result in a high risk” to individuals (e.g., large?scale profiling, biometric monitoring).
• Privacy Impact Assessment (PIA): The U.S.?style counterpart, encouraged by FTC Safeguards Rule and many state privacy statutes (e.g., Virginia’s CDPA).
• Record of Processing Activities (ROPA): Required by GDPR Art.?30 for controllers and processors with 250 employees (or any size if processing is high?risk). Must include purpose, categories, recipients, transfers, and retention.
• Legitimate Interest Assessment (LIA): A sub?assessment within a DPIA that balances the controller’s legitimate interest against the data subject’s rights (GDPR Art.?6(1)(f)).
• Joint Controller / Joint Processor: When two or more entities determine the purposes and means together (GDPR Art.?26). They must allocate responsibilities in a transparent agreement.
• Business Associate Agreement (BAA): HIPAA contract obligating a business associate to protect PHI and document safeguards; analogous to a GDPR processor contract (Art.?28).
• Data Subject Access Request (DSAR): A right under GDPR Art.?15 and CCPA/CPRA §1798.100 to obtain a copy of personal data; triggers a need for searchable records.
• Data Minimisation: GDPR principle (Art.?5(1)(c)) requiring that only data necessary for the purpose be collected—often a key factor in the DPIA risk?scoring matrix.
• Cross?Border Transfer Mechanism: GDPR Art.?44?50 (e.g., Standard Contractual Clauses) or CCPA “do?not?sell” opt?out; DPIAs must evaluate adequacy of safeguards for any transfer.
• Breach Notification Deadline: GDPR 72?hours (Art.?33); CCPA 60?days (Cal. Civ. Code §1798.82); HIPAA 60?days (45?C.F.R. §?164.404). A well?kept ROPA speeds up breach reporting.

Step?by?Step / Process Flow

1. Identify the Trigger – New project, system change, or third?party contract that involves personal data (e.g., launching a chatbot that stores voice recordings).
2. Screen for High?Risk Processing – Use a checklist: large?scale, special categories, systematic profiling, or cross?border transfer. If any apply, a DPIA/PIA is required.
3. Conduct the DPIA/PIA
4. Describe the processing (purpose, data types, flow).
5. Assess necessity & proportionality.
6. Perform a risk?scoring matrix (likelihood?×?impact).
7. Draft mitigation measures (e.g., pseudonymisation, consent, security controls).
8. Update the ROPA – Log the new activity (purpose, legal basis, retention, transfers) in the central register; link the DPIA document for audit traceability.
9. Obtain Approvals & Document – Secure sign?off from Data Protection Officer (DPO), legal counsel, and senior management; archive the DPIA, LIA, and ROPA entry.
10. Monitor & Review – Set a review date (typically 12?months) or trigger a re?assessment if the processing changes (e.g., new data source or algorithm update).

Common Mistakes

• Mistake: Treating a DPIA as a one?time “checkbox” and never revisiting it.
  Correction: DPIAs are living documents; schedule periodic reviews and re?run the assessment whenever the processing changes.

• Mistake: Assuming a small?scale pilot is exempt from a DPIA because the organization has <?250 employees.
  Correction: The employee threshold is a trigger for the ROPA, not the DPIA. High?risk processing always requires a DPIA regardless of size.

• Mistake: Recording only the “legal basis” in the ROPA and omitting the data?subject rights and transfer details.
  Correction: Art.?30 demands a full set of elements—purpose, categories, recipients, transfers, and retention. Missing any field can be a compliance breach.

• Mistake: Relying on “consent” alone to satisfy the DPIA without documenting the risk?mitigation steps.
  Correction: Consent is a lawful basis, but the DPIA must still demonstrate that the processing is necessary, proportionate, and that residual risks are mitigated.

• Mistake: Confusing a processor contract (Art.?28) with a joint controller agreement (Art.?26).
  Correction: Joint controllers share decision?making and must allocate responsibilities; processors act only on the controller’s instructions.

CIPP Exam Insights

1. DPIA Thresholds – Exams love the “high?risk” list (large?scale, special categories, systematic profiling, automated decision?making). Remember the “four?corner” test.
2. ROPA Scope – Know that Art.?30 applies to all controllers, but the 250?employee threshold only relaxes the record?keeping requirement for low?risk, small?scale processors.
3. US vs. EU Consent – CCPA/CPRA uses opt?out (“sale” of data) while GDPR uses opt?in (explicit consent) for special?category data. Expect a question contrasting the two.
4. HIPAA vs. GDPR – HIPAA’s “business associate” is analogous to a GDPR “processor,” but HIPAA does not require a DPIA; instead, it mandates a risk analysis under the Safeguards Rule.

Quick Check Questions

1. Scenario: A U.S. health?tech startup plans to collect EU patients’ biometric data for a tele?medicine platform.
   Question: Must the startup conduct a DPIA, and why?
   Answer: Yes – biometric data are a special category under GDPR Art.?9, and the cross?border transfer triggers a high?risk DPIA requirement (Art.?35).

2. Scenario: A retailer processes the email addresses of 5,000 EU customers for a newsletter. No profiling or special categories are involved.
   Question: Is a DPIA required?
   Answer: No – The processing is low?risk (no special categories, no systematic profiling), so a DPIA is not mandatory, though a ROPA entry is still required.

3. Scenario: A California?based SaaS company receives a DSAR from a resident under CCPA. The request includes a demand for deletion of data stored on a U.S. server.
   Question: Can the company refuse the deletion request?
   Answer: Yes, if the data are needed to comply with a legal obligation (e.g., HIPAA retention) or for the performance of a contract; otherwise, the request must be honored.

Last?Minute Cram Sheet

1. GDPR Art.?35 – DPIA required for high?risk processing (large?scale, special categories, profiling).
2. GDPR Art.?30 – ROPA must list purpose, categories, recipients, transfers, retention; 250?employee threshold only relaxes the detail requirement.
3. CCPA/CPRA §1798.100 – Right to access; businesses must respond within 45?days (extendable to 90).
4. HIPAA 45?C.F.R. §?164.306 – Requires a risk analysis (the U.S. equivalent of a DPIA).
5. GDPR Art.?33 – Breach notification to supervisory authority within 72?hours of discovery.
6. CCPA 60?day breach notice – Must be sent “in the most expedient time possible and without unreasonable delay.”
7. Standard Contractual Clauses (SCCs) – Primary GDPR transfer mechanism after Schrems?II; must be reflected in the DPIA.
8. Legitimate Interest Assessment (LIA) – Must be documented in the DPIA; balancing test is (a) legitimate interest, (b) necessity, (c) safeguards.
9. GDPR Art.?3 – Territorial scope applies to any entity targeting EU data subjects, not just those with a physical EU presence.
10. CCPA “sale” vs. “sharing” – Only “sale” triggers the opt?out right; “sharing for business purposes” does not, unless the consumer requests it.

Good luck – you’ve got the core concepts, the exam traps, and the practical steps to ace the accountability & governance portion of CIPP?US/EU!