Skip to content
Bizzi AI Governance Framework
Pillar II: Legal and Regulatory · § 08

Compliance architecture. DPIA and ROPA

Two documents hold the compliance architecture together. The DPIA (Data Protection Impact Assessment) lives at the feature level. The ROPA (Records of Processing Activities) lives at the organization level. The DPIA explains why a single feature is safe. The ROPA explains what the organization processes overall. Together they are what a regulator or a customer DPO inspects.

Context

Section titled “Context”

Decree 13/2023 Article 22 mandates a DPIA for high-risk processing. Article 21 mandates a ROPA for organizations processing personal data at scale. You treat both as continuous documents. Version-controlled, kept current, and visible to anyone empowered to inspect them.

DPIA. When it is required

Section titled “DPIA. When it is required”

A DPIA is mandatory at Bizzi when any of the following holds.

  • The AI feature processes personal data at scale.
  • The feature automates decisions with legal or financial consequences. Even if a HITL fallback exists.
  • The feature is deployed into a sensitive sector (banking, insurance).
  • A new vendor is introduced and no reusable DPIA template applies.

The seven sections of a Bizzi DPIA

Section titled “The seven sections of a Bizzi DPIA”

Every DPIA carries the same seven sections.

  1. Feature description. What Bizzi is doing, what data is processed, where it is stored, who receives it.
  2. Purpose and legal basis. The basis under Decree 13 Article 13 (consent, contract, legitimate interest).
  3. Proportionality assessment. The data-minimization measures applied.
  4. Risk assessment. Likelihood multiplied by impact for each identified risk (leak, drift, misuse).
  5. Mitigation controls. PII Redaction, encryption, access control, audit trail.
  6. Data subject rights. How Bizzi services DSAR, opt-out, and erasure requests.
  7. Sub-processors and data flow. The third-party list and the cross-border data flow diagram, if any.

The DPO signs the DPIA before the feature enters production. Every DPIA is reviewed at least annually or whenever the underlying processing changes materially.

ROPA. What it contains

Section titled “ROPA. What it contains”

For each processing activity.

  • Activity name and description.
  • Purpose of processing.
  • Categories of data subjects (B2B customer staff, customers’ end-customers, customer vendors).
  • Categories of personal data.
  • Categories of recipients, including sub-processors and cross-border transfers.
  • Retention period.
  • Technical and organizational security measures.

Every new AI feature either creates a new ROPA entry or updates an existing one. The DPIA is the long-form document. The ROPA entry is the index.

The flow

Section titled “The flow”
  1. Step 1
    New processing activity
  2. Step 2
    Five-question assessment
    Run the question set in §2
  3. Decision
    DPIA required?
    Yes, continue below
    • No Light ROPA entry (terminal)
    • Yes Continue to Step 3
  4. Step 3
    Author DPIA from template
  5. Step 4
    DPO approves
  6. Step 5
    ROPA updated
  7. Step 6
    Feature enters production
  8. Step 7
    Annual review
    Earlier on material change
DPIA and ROPA intake flow

Storage and access

Section titled “Storage and access”

DPIA and ROPA live in the document management system with.

  • Full version control. Every change is diffable and attributable.
  • Access controls. DPO and Legal have full access. The CoE Lead and Stewards have read access.
  • Customer-facing summaries. Contracted customers request the DPIA summary applying to their use case through the contract channel.

Standards mapping

Section titled “Standards mapping”