DPIA Methodology for Multinationals

8-Phase Framework — Structured Flow

DPIA methodology for multinationals is a systematic process divided into 8 phases.

1

Scoping & Jurisdictional Mapping

Define processing perimeter (data, geographies, actors). Identify all relevant jurisdictions and supervisory authorities involved.

2

Regulatory Landscape Analysis

Mapping of GDPR, LGPD, AI Act, sector-specific laws (HIPAA, GLBA, MiFID II, NIS 2) and national laws. Identify conflicts.

3

Cross-Border Data Flow Mapping

Documentation of where data enters, is processed, stored and exits. Identify international transfers and risk points.

4

Multi-Regime Impact Assessment

Risk assessment under each regime (GDPR, LGPD, AI Act, sectoral). Document potential violations, consequences and affected parties.

5

International Transfer Assessment (TIA)

Specific assessment of post-transfer risk. Legal mechanism (SCC, BCR, adequacy). Supplementary measures (encryption, pseudonymisation).

6

Risk Mitigation & Recommendations

Implementation of technical, legal and organisational controls. Prioritisation by risk and feasibility.

7

Documentation & Opinion

Drafting comprehensive DPIA report with compliance opinion. Presentation to DPO, legal counsel and stakeholders.

8

Continuous Monitoring & Annual Review

Implementation of compliance controls. Annual review or after significant changes in processing.

Phase 1: Jurisdictional Mapping

The first step is to answer: where is the data? Where is it processed? Who is responsible?

Identify data locations (data centres, servers, storage)
Map supervisory authorities per jurisdiction (CNPD, CNIL, BfDI, ICO, etc.)
Define legal relationships (controller, processor, sub-processor)
Document adequacy decisions (EU-US DPF, UK, Japan, Brazil)
Consider CPLP markets and special regimes

Phase 2: Regulatory Landscape Analysis

Harmonise requirements of GDPR, LGPD, AI Act and sector-specific laws.

International Reference Methodologies Table (Phase 3)

Comparative analysis with international methodologies (CNIL PIA, ICO, NIST, ISO 29134) ensures multinational DPIA incorporates global best practices.

Phase 3: Cross-Border Data Flow Mapping

Tools and techniques to document data movement.

Data flow diagrams — visual of origin, processing, destination
Transfer registers — document each SCC, BCR, legal mechanism
Responsibility matrix — controller, processors, sub-processors per jurisdiction
State access capability assessment — surveillance risk per country (especially US post-Schrems II)
Data retention analysis — how long data remains in each jurisdiction

Phase 4: Multi-Regime Impact Assessment

Risk assessment under each legal regime. The consolidated risk matrix ensures compliance with all authorities.

Regime	Risk Category	Potential Violation	Severity
GDPR	Transfer without SCC	Article 44 — Transfer without legal basis	High
GDPR	State surveillance (Schrems II)	Article 35 — Risk of interception in US	High
LGPD	Transfer without consent	Article 5 XVII — Unauthorised transfer	High
AI Act	High-risk AI without FRIA	Article 27 — Fundamental rights violation	High
AI Act	Discriminatory bias cross-border	Article 10 — Non-discrimination violation	High

Phase 5: Transfer Impact Assessment (TIA)

TIA is the specialised assessment of whether data can be legally transferred and protected post-transfer.

State access assessment — investigate if destination country government can unlawfully access data
SCC/BCR analysis — what legal mechanism supports the transfer?
Supplementary measures — end-to-end encryption, pseudonymisation, tokenisation
EDPB 01/2020 — Reference for adequate supplementary measures
Compliance opinion — position: "transfer allowed with measures X" or "high-risk transfer — reconsider"

Special: Transfers to USA post-Schrems II

Even with EU-US DPF, data on US servers is subject to state surveillance (EO 14028). TIA must document residual risk and mitigation measures (encryption, restricted access).

Phase 6: Risk Mitigation

Implementation of controls to reduce identified risk.

Technical Controls

Encryption in transit and at rest (TLS 1.3, AES-256)
Pseudonymisation and anonymisation
Data segregation by jurisdiction
Restricted access and multi-factor authentication

Legal Controls

Updated SCC/BCR contract
Termination clauses if processor breaches
Notification obligations to individuals
Cooperation with supervisory authorities

Organisational Controls

DPIA training for international teams
DPO access to DPIA documentation
Annual compliance review
Independent audit (if applicable)

International Reference Methodologies

Global best practices that inform the multinational DPIA.

Methodology	Origin	Application	Relevance for Multinational DPIA
CNIL PIA	France (CNIL)	French DPIA methodology with open-source software	Structured risk assessment. Well-accepted in EU.
ICO DPIA	United Kingdom (ICO)	Practical post-Brexit DPIA guide	Incorporates Schrems II and UK GDPR. Transfer reference.
NIST Privacy Framework	USA (NIST)	Privacy framework with risk taxonomy	Structure for state surveillance assessment (US context).
ISO 29134	ISO	Standard for Privacy Impact Assessment	International assessment structure. GDPR-compatible.
ISO 27701	ISO	Extension of ISO 27001 for privacy	Technical controls for privacy and transfers.
IAPP Privacy by Design	IAPP	Privacy by Design principles	Integration of privacy into multinational system design.

Phase 7: Documentation & Opinion

The outcome is a comprehensive DPIA report with compliance opinion.

DPIA Report Structure

Executive Summary — Final result, opinion, next steps
Processing Description — Data, purposes, actors, jurisdictions
Legal Mapping — Applicable GDPR, LGPD, AI Act, sector-specific laws
Risk Assessment — Risk matrix per regime and category
Transfer Impact Assessment — Evaluation of international transfers
Recommendations & Mitigation — Controls to implement with timeline
Compliance Opinion — Conclusion: "Compliant", "Compliant with Conditions", "Non-Compliant"
DPO & Legal Counsel Approval — Signed by involved parties

Phase 8: Continuous Monitoring & Review

DPIA is not a "set and forget" document. It requires active monitoring.

Annual Review — Assessment of compliance with implemented recommendations
Trigger Points — Changes in processing (new country, new processor, new data type) require review
Internal Audit — Verification of control implementation
Compliance Reports — Document for supervisory authorities (if requested)
Decision Updates — Case law (CJEU), new EDPB opinions, legislative changes

Multi-Stakeholder Coordination

Multinational DPIA requires involvement of multiple teams.

DPO (Data Protection Officer)

Supervisor of DPIA. Responsible for quality and completeness.

Legal Counsel / Compliance

Interpretation of national and sectoral laws. Compliance opinion.

CTO / IT Security

Implementation of technical controls (encryption, access, segregation).

Business / Product Team

Description of processing, purposes, data needs.

Processors & Vendors

Information on where they process, controls implemented, compliance.

Supervisory Authorities

Pre-decision consultation if high risk (Article 36 GDPR).

Deliverables of a Multinational DPIA

Artefacts expected at the end of the process.

✓ Complete DPIA report (30–80 pages depending on scope)
✓ Consolidated risk matrix (GDPR, LGPD, AI Act, sectoral)
✓ Transfer Impact Assessment (TIA) with compliance opinion
✓ Control implementation plan (with timeline and owners)
✓ Updated SCC/BCR contract (if applicable)
✓ DPO and legal counsel opinion
✓ Consent records (if applicable)
✓ Supplementary measures documentation (encryption, access, segregation)

Next Steps

Ready to implement the methodology? Contact us for specialised multinational DPIA.

International DPIA Services →

Request Assessment →