A data protection impact report, the relatorio de impacto a protecao de dados pessoais or RIPD, is the LGPD's impact-assessment instrument. The LGPD defines it in Article 5(XVII) as a document describing the processing of personal data that could pose risks to civil liberties and fundamental rights, along with the measures to mitigate them. Under Article 38 the ANPD, Brazil's data protection authority, may order a controller to produce one, particularly where processing relies on legitimate interest or carries higher risk.
Brazil's LGPD is modeled closely on the GDPR, and its impact instrument follows the pattern: where processing could affect people's rights, the controller documents the processing, the risks, and the safeguards. The Brazilian version, the RIPD, is defined in the law and can be demanded by the regulator. This guide covers what it is, when it applies, what it contains, and how to prepare one.
What the RIPD is
The RIPD is defined in Article 5(XVII) of the LGPD as a report describing the data processing operations that may generate risks to civil liberties and fundamental rights, together with the measures, safeguards, and risk-mitigation mechanisms the controller adopts. It is the documented analysis a controller relies on to show it considered the impact of its processing on data subjects.
When it is required
Article 38 gives the ANPD the power to require a controller to prepare a RIPD, including for processing based on the legitimate-interest legal basis. In practice it is expected for higher-risk processing: large-scale handling of personal data, sensitive data, profiling, or new technologies. Even where the ANPD has not ordered one, preparing a RIPD for high-risk processing is treated as good practice and as evidence of the accountability the LGPD requires.
What it must contain
Following Article 5(XVII), a RIPD describes the processing and assesses its risk to rights. A complete report covers:
- A description of the processing operations and their purpose.
- The types of personal data involved, including any sensitive data.
- An assessment of the risks to data subjects' rights and freedoms.
- The safeguards and risk-mitigation measures the controller adopts.
How to prepare a RIPD
Step 1: Describe the processing
Set out the data, the purpose, the legal basis, and the flows, so the analysis has a clear subject.
Step 2: Assess the risks to rights
Identify the risks the processing poses to data subjects' civil liberties and fundamental rights, and rate them.
Step 3: Set out the safeguards
Document the measures that mitigate each risk and the residual risk that remains.
Step 4: Document and keep current
Record the report so it can be produced if the ANPD requests it, and revisit it when the processing changes.
RIPD and the GDPR DPIA
The two are close cousins. Both document processing, assess risk to individuals, and record safeguards. The main difference is the trigger: the GDPR DPIA is required by law whenever processing is likely to result in a high risk, while the RIPD is an instrument the ANPD may demand under Article 38, with high-risk processing the usual occasion. A controller operating under both regimes can often build one analysis that satisfies each.
For the wider regime, see the Brazil LGPD compliance guide and the LGPD glossary; for the EU instrument it parallels, see the GDPR DPIA guide.
Primary sources
- LGPD (Law 13.709/2018), Articles 5(XVII) and 38: The data protection impact report (RIPD), which the ANPD may require of the controller.