What to Do When a DPIA Reveals Risks You Cannot Fully Mitigate

When Mitigation Is Not Enough

Sometimes, despite applying all reasonable technical and organizational measures, the residual risk of a processing activity remains high. This is not a failure of the DPIA process—it is the process working as intended. The DPIA has surfaced a genuine privacy risk that cannot be engineered away, and the organization must now make a conscious decision about how to proceed.

GDPR Article 36: Prior Consultation

When a DPIA indicates that processing would result in high risk in the absence of measures taken by the controller to mitigate the risk, Article 36 requires the controller to consult the supervisory authority before processing begins.

The prior consultation process:

1. Submit the DPIA and supplementary documentation to your supervisory authority.
2. Include: purposes and means of processing, safeguards applied, DPO contact details, and any other information the authority requests.
3. The authority has 8 weeks to provide written advice (extendable to 14 weeks for complex cases).
4. The authority may advise the controller to modify the processing, impose conditions, or exercise any of its corrective powers under Article 58(2).

Risk Acceptance Criteria

Not all residual risk triggers prior consultation. Define clear organizational criteria for risk acceptance:

• Acceptable risk: Residual risk is low to medium. Proceed with standard controls. Document the rationale.
• Conditionally acceptable risk: Residual risk is medium to high. Proceed with enhanced monitoring, additional mitigations planned, and a shorter review cycle. Senior management sign-off required.
• Unacceptable without consultation: Residual risk is high. Prior consultation with the DPA is required before processing begins.
• Unacceptable: Residual risk is so high that processing should not proceed under any circumstances. Consider abandoning or fundamentally redesigning the processing.

Escalation Procedures

When a DPIA reveals high residual risk, follow a clear escalation path:

1. DPO assessment: The DPO provides a formal opinion on the residual risk and whether prior consultation is needed.
2. Senior management briefing: Present the DPIA findings, residual risks, and options to decision-makers.
3. Legal review: Legal counsel assesses the regulatory risk and potential consequences of proceeding, modifying, or abandoning the processing.
4. Board/executive decision: The highest appropriate authority makes the proceed/modify/abandon decision.

Alternative Processing Approaches

Before accepting high residual risk, explore alternatives:

• Data minimization: Can you achieve the same purpose with less data?
• Anonymization: Can you process anonymized data instead of personal data?
• Aggregation: Can individual-level processing be replaced with aggregate-level analysis?
• Shorter retention: Can reducing the retention period lower the risk?
• Different technology: Can an alternative technology achieve the purpose with lower privacy impact?

Documenting the Decision

Whatever the outcome, meticulously document the decision-making process: the residual risks identified, the alternatives considered, the rationale for the chosen approach, the sign-off authority, and any conditions or commitments made. This documentation protects the organization in the event of regulatory scrutiny.

Jerisaliant's DPIA module includes configurable risk thresholds, automated prior consultation flagging, escalation workflow support, and comprehensive decision documentation.