When is a DPIA required?

GDPR Article 35 requires a DPIA when processing is likely to result in high risk. The EDPB guidelines list nine criteria including: evaluation or scoring, automated decision-making, systematic monitoring, sensitive data processing, large-scale processing, data matching, and processing involving vulnerable individuals. If two or more criteria apply, a DPIA is likely required.

Can database metadata replace a full DPIA?

No. A DPIA covers organizational, legal, and technical aspects. Database evidence supports the technical assessment: what data exists, how it is protected, and who can access it. You still need to document purposes, necessity, proportionality, and subject rights. pgcomply provides the database evidence layer.

Data Protection Impact Assessment (DPIA) at the Database Level

What a DPIA Needs from Your Database

A DPIA has four main steps. Two of them require database-level evidence:

Step 1: Description of Processing

What personal data do you process, where does it live, and how is it classified?

-- Complete PII inventory with classification
SELECT * FROM pgcomply.classification_map();

-- Detailed PII registry
SELECT table_name, column_name, pii_type, forget_strategy
FROM pgcomply.pii_registry
ORDER BY table_name;

-- Data flow: consent and legal basis per purpose
SELECT * FROM pgcomply.consent_purposes();

This produces the data inventory that forms the foundation of every DPIA.

Step 3: Assessment of Safeguards

What technical measures protect this data?

-- Security configuration
SELECT rule, status, detail FROM pgcomply.health_check()
WHERE status IN ('FAIL', 'WARN');

-- Access control assessment
SELECT role, table_name, risk_level
FROM pgcomply.access_map()
WHERE risk_level IN ('HIGH', 'MEDIUM');

-- Protection status per table
SELECT table_name, level, has_masking, has_rls, has_retention
FROM pgcomply.classification_map()
WHERE level IN ('restricted', 'confidential');

Risk Score

Combine findings into a risk matrix:

| Factor | Low Risk | Medium Risk | High Risk | |--------|----------|-------------|-----------| | Data types | Internal only | PII (email, phone) | Special category (health, financial, government ID) | | Access control | RLS + masking | RLS only | Neither | | Encryption | SSL + at rest | SSL only | No SSL | | Audit trail | Immutable + verified | Basic logging | No audit | | Retention | Policy enforced | Policy defined | No policy |

pgcomply's data lets you fill this matrix with evidence rather than assumptions.

Automating DPIA Updates

DPIAs must be updated when processing changes. Schema drift detection catches these changes:

-- New PII columns or tables = DPIA review trigger
SELECT * FROM pgcomply.schema_drift();

Set up weekly monitoring:

SELECT pgcomply.schedule_jobs(install := true);

If drift is detected, review and update the DPIA accordingly.

DPIA Risk Scoring with pgcomply Data

Build a risk score from pgcomply's evidence functions:

-- Count risk factors
WITH risk_factors AS (
  -- High-risk data types
  SELECT 'restricted_tables' AS factor, count(*) AS score
  FROM pgcomply.classification_map() WHERE level = 'restricted'
  UNION ALL
  -- Unprotected PII
  SELECT 'pii_without_masking', count(*)
  FROM pgcomply.classification_map() WHERE level IN ('restricted','confidential') AND has_masking = false
  UNION ALL
  -- Missing RLS
  SELECT 'pii_without_rls', count(*)
  FROM pgcomply.classification_map() WHERE level IN ('restricted','confidential') AND has_rls = false
  UNION ALL
  -- Health check failures
  SELECT 'security_failures', count(*)
  FROM pgcomply.health_check() WHERE status = 'FAIL'
  UNION ALL
  -- Missing retention policies
  SELECT 'no_retention_policy', count(*)
  FROM pgcomply.minimization_report() WHERE has_retention = false
)
SELECT factor, score,
  CASE
    WHEN score = 0 THEN 'LOW'
    WHEN score <= 3 THEN 'MEDIUM'
    ELSE 'HIGH'
  END AS risk_level
FROM risk_factors
WHERE score > 0;

When a DPIA Triggers a Change

If the DPIA reveals high risk, the GDPR requires you to either mitigate the risk or consult the supervisory authority. Common mitigations at database level:

-- Mitigation 1: Enable masking on all restricted tables
SELECT pgcomply.mask(table_name, column_name, 'partial', ARRAY['postgres', 'dpo'])
FROM pgcomply.pii_registry
WHERE table_name IN (
  SELECT table_name FROM pgcomply.classification_map() WHERE level = 'restricted'
);

-- Mitigation 2: Enable RLS on restricted tables
SELECT pgcomply.enable_rls(table_name, 'user_id')
FROM pgcomply.classification_map()
WHERE level = 'restricted' AND has_rls = false;

-- Mitigation 3: Set retention policies
SELECT pgcomply.retain(table_name, 'created_at', '365 days')
FROM pgcomply.classification_map()
WHERE has_retention = false;

-- Re-run risk assessment
-- Expect all scores to drop to LOW

Document the before/after in your DPIA:

SELECT pgcomply.checklist_update('gdpr', 'ART-35',
  'implemented',
  evidence := 'DPIA conducted 2026-02. Risk mitigated: masking + RLS on all restricted tables. Re-assessment: LOW risk.'
);

Summary

A DPIA requires evidence of what data you process and how you protect it. pgcomply provides this evidence as queryable SQL: classification maps, PII registries, health checks, access maps, and drift detection. The database does not replace the DPIA document, but it provides the factual foundation that makes the DPIA credible.

Data Protection Impact Assessment (DPIA) at the Database Level

What a DPIA Needs from Your Database

Step 1: Description of Processing

Step 3: Assessment of Safeguards

Risk Score

Automating DPIA Updates

DPIA Risk Scoring with pgcomply Data

When a DPIA Triggers a Change

Summary

Frequently Asked Questions

Related Articles

PostgreSQL Row-Level Security (RLS): Complete Guide for Multi-Tenant Applications

Automating Data Classification in PostgreSQL for ISO 27001 and GDPR

The Complete GDPR Compliance Checklist for PostgreSQL (2026)