{"id":19743,"date":"2025-12-23T08:00:43","date_gmt":"2025-12-23T08:00:43","guid":{"rendered":"https:\/\/letslaw.es\/?p=19743"},"modified":"2025-12-17T16:16:17","modified_gmt":"2025-12-17T16:16:17","slug":"big-data-impact-assessment","status":"publish","type":"post","link":"https:\/\/letslaw.es\/en\/big-data-impact-assessment\/","title":{"rendered":"Do you work with Big Data? How to conduct an impact assessment"},"content":{"rendered":"<p>The General Data Protection Regulation (GDPR), in force since 25 May 2018, introduced the obligation to carry out a <strong>Data Protection Impact Assessment (DPIA)<\/strong> for processing operations that may entail a high risk to the rights and freedoms of individuals.<\/p>\n<p>Any company or ecommerce platform that processes personal data should understand what this preventive analysis involves and when it is mandatory. At LETSLAW, we have previously addressed the key aspects of DPIAs, and today we update this information in light of the most recent European and national regulatory developments.<\/p>\n<p>The European Data Protection Board (EDPB) (formerly the Article 29 Working Party) has issued several guidelines interpreting the GDPR and setting out practical criteria on <strong>when a DPIA should be carried out and what it should include<\/strong>. Moreover, recent European regulations on Artificial Intelligence and data governance have reinforced its relevance in Big Data and automation environments.<\/p>\n<h2>Privacy risks in Big Data<\/h2>\n<p>Big Data involves the <strong>large-scale, continuous, and automated processing of massive amounts of information<\/strong>, often using predictive analytics, profiling, or artificial intelligence techniques. These processing activities can seriously compromise privacy if their risks are not properly assessed.<\/p>\n<p>Article 35 of the GDPR establishes that a DPIA must be carried out whenever processing operations are \u201clikely to result in a high risk to the rights and freedoms of natural persons.\u201d There are three specific scenarios in which this obligation always applies:<\/p>\n<ol>\n<li><strong>Large-scale processing of sensitive data<\/strong>, such as health, political beliefs, sexual orientation, or biometric data.<\/li>\n<li><strong>Systematic large-scale monitoring<\/strong> of publicly accessible areas.<\/li>\n<li>Automated evaluations or decisions producing <strong>legal or similarly significant effects<\/strong> on individuals (for example, profiling or credit scoring systems).<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>The GDPR also clarifies that this list is not exhaustive. Any processing operation that poses significant risks must be evaluated.<\/p>\n<p>The EDPB and the Spanish Data Protection Authority (AEPD) identify <strong>several criteria that help determine when a processing activity is considered high-risk<\/strong>, including:<\/p>\n<ul>\n<li>Evaluation or scoring of individuals (profiling or prediction).<\/li>\n<li>Automated decision-making with legal or economic consequences.<\/li>\n<li>Systematic monitoring or surveillance.<\/li>\n<li>Processing of special categories of data or other confidential information.<\/li>\n<li>Large-scale data processing.<\/li>\n<li>Combination of datasets from different sources.<\/li>\n<li>Processing data of vulnerable individuals (minors, employees, patients, etc.).<\/li>\n<li>Use of innovative or disruptive technologies, such as AI, biometrics, or advanced geolocation.<\/li>\n<li><a title=\"International transfers of data\" href=\"https:\/\/letslaw.es\/en\/edpb-publishes-guidelines-data-transfers\/\">International transfers of data<\/a> outside the EU.<\/li>\n<li>Processing operations that restrict the exercise of rights or access to services or contracts.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>As a general rule, if the processing meets <strong>two or more of these criteria<\/strong>, conducting a DPIA is considered advisable \u2014 and in most cases, mandatory.<\/p>\n<h2>When a data protection impact assessment is mandatory<\/h2>\n<p><strong>A DPIA must be conducted before starting the processing<\/strong> and forms part of the accountability principle required by the GDPR.<\/p>\n<p>Even when it is uncertain whether a DPIA is mandatory, both the EDPB and the AEPD recommend carrying it out, as it serves as an <strong>effective tool to identify and mitigate risks and to demonstrate regulatory compliance<\/strong> in the event of an inspection.<\/p>\n<p>From 2025 onwards, this assessment gains even greater importance in certain contexts:<\/p>\n<ul>\n<li>When the processing involves high-risk <strong>Artificial Intelligence systems<\/strong>, under the new Regulation (EU) 2024\/1689 \u2013 AI Act, the DPIA must be coordinated with the conformity assessment required for AI systems.<\/li>\n<li>In processing operations <strong>involving data sharing or reuse<\/strong> under the Data Act (Regulation EU 2023\/2854) or the Data Governance Act (Regulation EU 2022\/868), the DPIA should include an additional analysis of data access conditions, <a title=\"anonymisation\" href=\"https:\/\/letslaw.es\/en\/guide-procedures-data-anonymisation\/\">anonymisation<\/a>, and traceability controls.<\/li>\n<li>In Spain, the AEPD updated its Practical Guide on DPIAs in 2023, adding new examples of high-risk processing operations, such as:\n<ul>\n<li>Intelligent video surveillance or facial recognition.<\/li>\n<li>AI systems for assessing behaviour or employee performance.<\/li>\n<li>Big Data platforms for large-scale user analytics.<\/li>\n<li>Processing of biometric or genetic data.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>What a data protection impact assessment should include<\/h2>\n<p>According to the EDPB Guidelines and the AEPD Practical Guide (2023), a complete DPIA should contain at least the following elements:<\/p>\n<h3>Detailed description of the processing<\/h3>\n<ul>\n<li>Nature, scope, context, and purpose of the processing.<\/li>\n<li>Categories of personal data and recipients.<\/li>\n<li>Data retention periods.<\/li>\n<li>Technical and organisational measures in place.<\/li>\n<li>Compliance with approved codes of conduct or certifications.<\/li>\n<\/ul>\n<h3>Assessment of necessity and proportionality<\/h3>\n<ul>\n<li>Lawfulness of the processing.<\/li>\n<li>Adequacy, relevance, and data minimisation.<\/li>\n<li>Reasonable retention and processing period.<\/li>\n<li>Measures to guarantee data subject rights: information, access, rectification, portability, objection, restriction, and erasure.<\/li>\n<\/ul>\n<h3>Identification and management of risks<\/h3>\n<ul>\n<li>Analysis of the origin, nature, likelihood, and severity of the risks.<\/li>\n<li>Potential effects on rights and freedoms (unauthorised access, alteration, loss, misuse).<\/li>\n<li>Security and mitigation measures adopted.<\/li>\n<\/ul>\n<h3>Involvement of relevant parties<\/h3>\n<ul>\n<li>Consultation with the Data Protection Officer (DPO).<\/li>\n<li>Consultation, where appropriate, with data subjects or their representatives.<\/li>\n<\/ul>\n<h3>Follow-up and review<\/h3>\n<ul>\n<li>Periodic review of the DPIA whenever changes occur in the processing activity or risk level.<\/li>\n<li>Documentation and traceability of all decisions made.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>When the measures identified are insufficient to reduce the risk to an acceptable level, the controller must consult the competent supervisory authority (the AEPD in Spain) before starting the processing.<\/p>\n<h2>Consequences of non-compliance<\/h2>\n<p>Failure to carry out a DPIA when required, or conducting it incorrectly, may result in <strong>administrative fines of up to \u20ac10 million or 2 % of the organisation\u2019s total worldwide annual turnover<\/strong>, whichever is higher.<\/p>\n<p>Additionally, failure to conduct a DPIA for high-risk AI projects may lead to further infringements under the AI Act, with penalties reaching up to 7% of the organisation\u2019s global annual turnover.<\/p>\n<p>Big Data, Artificial Intelligence, and data interconnectivity significantly increase privacy risks. A Data Protection Impact Assessment is not only a legal requirement but also a strategic tool to anticipate legal issues, strengthen transparency, and build user trust.<\/p>\n<p>At Letslaw, a law firm specialising in <a title=\"digital law\" href=\"https:\/\/letslaw.es\/en\/digital-lawyers\/\">digital law<\/a>, <a title=\"data protection\" href=\"https:\/\/letslaw.es\/en\/privacy-data-protection-lawyers\/\">data protection<\/a>, and artificial intelligence, we help organisations determine whether their processing activities require a DPIA and guide them in conducting it in accordance with the latest GDPR standards, AEPD recommendations, and the evolving European data and AI regulatory framework.<\/p>\n<div class=\"cyp_post_formulario\"><h2>Contact Us<\/h2>\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f3074-o1\" lang=\"es-ES\" dir=\"ltr\" data-wpcf7-id=\"3074\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/19743#wpcf7-f3074-o1\" method=\"post\" class=\"wpcf7-form init wpcf7-acceptance-as-validation\" aria-label=\"Formulario de contacto\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"3074\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"es_ES\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f3074-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/><input type=\"hidden\" name=\"_wpcf7_recaptcha_response\" value=\"\" \/>\n<\/fieldset>\n<div class=\"campo_nombre\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Name\" value=\"\" type=\"text\" name=\"your-name\" \/><\/span><\/div>\n<div class=\"campo_telefono\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-tel datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Phone\" value=\"\" type=\"tel\" name=\"your-phone\" \/><\/span><\/div>\n<div class=\"campo_email\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Email\" value=\"\" type=\"email\" name=\"your-email\" \/><\/span><\/div>\n<div class=\"campo_asunto\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-asunto\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Subject\" value=\"\" type=\"text\" name=\"your-asunto\" \/><\/span><\/div>\n<div class=\"campo_mensaje\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-mensaje\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea wpcf7-validates-as-required datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Message\" name=\"your-mensaje\"><\/textarea><\/span><\/div>\n<input class=\"wpcf7-form-control wpcf7-hidden\" value=\"\" type=\"hidden\" name=\"cyp_form_url\" \/>\n<input class=\"wpcf7-form-control wpcf7-hidden\" value=\"cyp_zonaweb\" type=\"hidden\" name=\"zonaweb\" \/>\n<span class=\"wpcf7-form-control-wrap recaptcha\" data-name=\"recaptcha\"><span data-sitekey=\"6LfbCuUpAAAAAGu5f0__hms_y9Kscc_NCNdDGnEJ\" class=\"wpcf7-form-control wpcf7-recaptcha g-recaptcha\"><\/span>\r\n<noscript>\r\n\t<div class=\"grecaptcha-noscript\">\r\n\t\t<iframe loading=\"lazy\" src=\"https:\/\/www.google.com\/recaptcha\/api\/fallback?k=6LfbCuUpAAAAAGu5f0__hms_y9Kscc_NCNdDGnEJ\" frameborder=\"0\" scrolling=\"no\" width=\"310\" height=\"430\">\r\n\t\t<\/iframe>\r\n\t\t<textarea name=\"g-recaptcha-response\" rows=\"3\" cols=\"40\" placeholder=\"Aqu\u00ed la respuesta de reCAPTCHA\">\r\n\t\t<\/textarea>\r\n\t<\/div>\r\n<\/noscript>\r\n<\/span>\n<div style=\"width:100%\">\n<p class=\"form-input-check\" style=\"color:#444444 !important;padding:0px !important;margin:0px !important;font-size:12px !important;margin-bottom:15px !important\">\nBy clicking on \"Send\" you accept our <a href=\"https:\/\/letslaw.es\/en\/privacy-policy\/\" target=\"_blank\">Privacy Policy<\/a> - <a href=\"javascript:\/\/\" class=\"cyp_legal_popup_ingles\">+ Info<\/a>\n<\/p>\n<p class=\"form-input-check\" style=\"color:#444444 !important;padding:0px !important;margin:0px !important;font-size:12px !important\">\n<span class=\"wpcf7-form-control-wrap\" data-name=\"checkbox-173\"><span class=\"wpcf7-form-control wpcf7-checkbox wpcf7-exclusive-checkbox\"><span class=\"wpcf7-list-item first last\"><label><input type=\"checkbox\" name=\"checkbox-173\" value=\"\" \/><span class=\"wpcf7-list-item-label\"><\/span><\/label><\/span><\/span><\/span> I agree to receive outlined commercial communications from LETSLAW, S.L. in accordance with the provisions of our <a href=\"https:\/\/letslaw.es\/en\/privacy-policy\/\" target=\"_blank\">Privacy Policy<\/a> - <a href=\"javascript:\/\/\" class=\"cyp_legal_popup\">+ Info<\/a>\n<\/p>\n<\/div>\n<div class=\"vc_col-sm-12 botton-datos-contacto\"><input class=\"wpcf7-form-control wpcf7-submit has-spinner\" type=\"submit\" value=\"Send\" \/><\/div><input type='hidden' class='wpcf7-pum' value='{\"closepopup\":false,\"closedelay\":0,\"openpopup\":false,\"openpopup_id\":0}' \/><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n<div>","protected":false},"excerpt":{"rendered":"<p>Any company or e-commerce business that manages personal data must understand what an impact assessment is and when it is mandatory.<\/p>\n","protected":false},"author":26,"featured_media":19745,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[243],"tags":[],"class_list":["post-19743","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection"],"_links":{"self":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts\/19743","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/comments?post=19743"}],"version-history":[{"count":3,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts\/19743\/revisions"}],"predecessor-version":[{"id":19744,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts\/19743\/revisions\/19744"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/media\/19745"}],"wp:attachment":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/media?parent=19743"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/categories?post=19743"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/tags?post=19743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}