Data Protection Impact Assessment

[All Actors]
1. Conduct a Data-Protection Impact Assessment (DPIA) for every personal-data processing activity the actor controls, evaluating likelihood and severity of risks such as bias, re-identification, unauthorized access, or adversarial misuse.

2. Document the processing purpose, data flows, lawful basis, risk findings and mitigation measures, and retain the DPIA report for audit or regulatory review.

3. Review and update the DPIA at least annually or whenever a material change occurs (new data source, new model version, new recipient, major scale-up, etc.).

4. Verify that processing remains compliant with applicable laws and standards (e.g., GDPR, CCPA, ISO 27701, HIPAA) and record evidence of that verification.

[Shared among: AP, AIC, OSP]
1. Provide user-facing transparency (notices, dashboards) and consent or opt-out mechanisms whenever the DPIA identifies heightened impact on data subjects, and propagate those choices through downstream services.

1. Examine procedures related to DPIA risk assessment and determine whether, once a requirement has been established, the CSP identifies and grades the associated risks, reports, and prioritizes the remediation of risks and non-compliance activities. 

2. Examine whether the DPIA process and templates align with the CSP’s risk methodology and taxonomy.

3. Determine if the risks' origin, nature, particularity, and severity are evaluated according to the applicable laws, regulations, and industry best practices for the CSP.

4. Establish whether the CSP has documented the roles and responsibilities for this process.

5. Select a sample of DPIAs and examine evidence to confirm that each assessment was performed to identify associated risks. Further, verify that any action plans were determined and carried out appropriately. Confirm that all relevant evidence was formally documented.

6. Verify that AI systems used in PII processing are included in the DPIA evaluation process.

7. Verify identification and assessment of risks specific to AI systems, such as bias, transparency, and accountability.

8. Verify that the DPIA includes evaluating profiling based on AI systems' data.

9. Verify that records inform the DPIA process for AI systems and are kept up-to-date.

10. Determine if the DPIA includes third-party providers and how identified risks are remediated.

11. Verify that the CSP has procedures to provide information regarding data storage locations, cross-border data flows, and infrastructure security controls when requested by customers conducting DPIAs. 

3. Assess if the CSP offers documentation on technical measures implemented at the infrastructure level to support customers' DPIA requirements. 

4. Review whether the CSP has a process to notify customers of significant infrastructure changes that might affect existing DPIAs.