A Data Protection Impact Assessment (DPIA) is the formal risk analysis required for high-risk data processing under the Philippine Data Privacy Act. Most Filipino business owners have never heard of it. Many should have already completed one.
This guide explains what a DPIA is, when it is legally required, and how to do one for a typical Philippine SME.
What a DPIA Actually Is
A DPIA is a structured document that identifies privacy risks BEFORE a new data processing activity starts. It forces your business to think through:
- What data will you collect?
- Why exactly do you need each piece?
- Where will it live and who will access it?
- What could go wrong?
- How will you mitigate those risks?
The output is a written report your DPO signs off on, kept on file for NPC inspection.
It is not a one-time compliance hoop — it is a thinking framework. Done right, it prevents privacy disasters that cost far more than the DPIA itself.
When a DPIA Is Legally Required
Under NPC Circular 17-01 and NPC Advisory 2017-03, a DPIA is mandatory before you:
1. Process Sensitive Personal Information at Scale
If you process health records, government IDs, criminal records, or other sensitive personal information for more than 250 individuals, a DPIA is required.
Common Philippine business triggers:
- Healthcare provider expanding patient intake
- Lending company onboarding new borrowers
- School enrolling new students
- HR services managing employment records
2. Use Automated Decision-Making
If your business uses algorithms or AI to make significant decisions about people without human review — credit scoring, automated loan approval, AI-driven hiring filters — a DPIA is required.
3. Conduct Large-Scale Systematic Monitoring
Surveillance of employees, customers, or public areas at scale. Examples:
- Multiple-camera CCTV system in a workplace
- Employee productivity tracking software
- Customer behavior analytics on a website (heatmaps, session recording)
4. Combine Datasets for Cross-Analysis
Joining customer data with third-party demographic or behavioral data — for marketing analytics, risk scoring, or personalization — triggers DPIA requirements.
5. Use New Technologies With Unknown Privacy Implications
AI chatbots, biometric authentication, facial recognition, IoT devices in commercial settings — any new technology with significant data processing.
If your business does any of the above and you have no DPIA on file — you have a compliance gap.
When a DPIA Is Best Practice (Even If Not Mandatory)
Even when not strictly required by law, NPC strongly recommends DPIA for:
- Launching a new website that collects customer data
- Migrating to a new CRM or ERP system
- Outsourcing data processing to a new vendor
- Offering a new digital service
- Major operational changes (new branch, new business line)
DPIA-by-default is the mark of a mature privacy program. It demonstrates good faith if NPC ever investigates.
How to Conduct a DPIA — The 7-Step Process
Step 1 — Describe the Processing
Write a plain-language description of what you plan to do. Include:
- The purpose
- Categories of data subjects (customers, employees, vendors)
- Categories of personal data
- Recipients (who else gets the data)
- Retention periods
- Technical means (databases, software, cloud services)
This forces specificity before you commit resources.
Step 2 — Assess Necessity and Proportionality
Ask:
- Is the data actually needed for the stated purpose?
- Could you achieve the same result with less data?
- Is the data collection proportionate to the benefit?
This is where many DPIAs surface that the project is asking for more than it needs.
Step 3 — Identify Risks to Data Subjects
For each data flow, what could go wrong from the user's perspective?
- Unauthorized access (hacking, insider misuse)
- Accidental disclosure (wrong-recipient email, lost device)
- Function creep (data used for purposes beyond the stated one)
- Inability to exercise rights (cannot access, correct, or delete data)
Rate each risk by likelihood and severity.
Step 4 — Identify Mitigations
For each significant risk, list the specific controls:
- Encryption at rest and in transit
- Access controls and audit logs
- Staff training on the specific data handling
- Vendor agreements with privacy clauses
- Retention deletion automation
- Backup and recovery procedures
Step 5 — Assess Residual Risk
After mitigations, what risk remains? If residual risk is still high, the project may need to be reduced in scope, or NPC consultation may be required.
Step 6 — Get DPO Sign-Off
The DPIA is signed by:
- The project owner (operations side)
- The Data Protection Officer (privacy side)
- A senior decision-maker who owns budget and risk
This is not a formality. The DPO's signature carries personal responsibility.
Step 7 — Document, File, and Review
The completed DPIA goes on file. Review and update it:
- Whenever the processing changes
- Annually as a routine check
- Immediately if a breach or incident occurs
NPC may request DPIA documentation during audits or investigations.
Common DPIA Mistakes for Philippine SMEs
- Treating it as paperwork: a real DPIA changes decisions. If yours did not, you did not really do one.
- DPO completes it alone: it should be cross-functional (ops, IT, legal, DPO).
- No follow-up on mitigations: the controls listed in the DPIA must actually be implemented.
- No annual review: DPIAs are living documents.
- Skipping it for "small" projects: many "small" projects involve significant data risk.
Sample DPIA Triggers for a Typical Philippine SME
A 20-person business should expect to run 2-4 DPIAs per year on activities like:
- Switching CRM systems
- Adding online booking
- Implementing CCTV in the storefront
- Onboarding a new email marketing tool
- Adding chat widget on the website
- Starting employee productivity tracking
Each DPIA takes 4-12 hours of focused work spread across team and DPO.
Frequently Asked Questions
Do small businesses really need to do DPIAs?
If you trigger any of the mandatory conditions — yes, regardless of size. The DPA does not have size exemptions for DPIA requirements.
Can my outsourced DPO do the DPIA for me?
The DPO facilitates and signs off. But the business owner and operational team must provide the inputs (purpose, data, systems, retention). Outsourced DPOs cannot DPIA in a vacuum.
What if NPC asks for a DPIA we never did?
You will be asked to produce one. If you cannot, NPC may treat the underlying processing as non-compliant — and that becomes an aggravating factor in any related investigation.
Is there a standard DPIA template?
NPC provides a template in NPC Advisory 2017-03. Most outsourced DPO services provide customized templates calibrated to industry and risk level.
Need Help With Your First DPIA?
DPIA work is core to our outsourced DPO service at RDahunan I.T. Services. We facilitate, document, and sign off on DPIAs for Philippine SMEs across industries. Want a free 30-minute consult to identify which of your current operations should have a DPIA on file? Send us a message.
General DPO guidance. Not legal advice.