dpia-companion - Mercury Security

This is meant to clarify for clients:

What Mercury provides (audit evidence, artifacts, technical notes).
What only legal counsel can provide (formal Data Protection Impact Assessments under GDPR).
How the two connect.

DPIA Companion Notes

Mercury Security | 2025

Introduction

A Data Protection Impact Assessment (DPIA) is a formal requirement under the General Data Protection Regulation (GDPR) when processing is likely to result in a high risk to the rights and freedoms of individuals (European Union, 2016). DPIAs are legal instruments that must be performed or validated by the data controller, often in consultation with legal counsel or a Data Protection Officer (DPO).

Mercury Security does not perform DPIAs on behalf of clients. Instead, we provide companion notes that supply the technical evidence and governance context required for a DPIA. These notes bridge the gap between AI audit activities and the formal legal process.

Purpose

The purpose of these companion notes is to:

Identify what technical artifacts are available from the audit process.
Map artifacts to DPIA sections commonly required by regulators.
Clarify where legal interpretation or judgment is required beyond Mercury Security’s scope.

Scope of Mercury Security Deliverables

As part of our audits, Mercury Security provides:

System descriptions (purpose, boundaries, and out-of-scope uses).
Evidence packs (logs, configuration screenshots, test results).
Governance artifacts (purpose declarations, consent notices, HITL rules).
Risk indicators flagged during bias, safety, and security testing.
Framework crosswalks showing how evidence aligns with GDPR, EU AI Act, NIST AI RMF, and ISO/IEC 42001.

These deliverables provide the factual, technical foundation for DPIAs.

Areas Requiring Legal Counsel

Mercury Security does not provide:

Determination of lawful basis for processing under GDPR Articles 6 and 9.
Balancing tests for legitimate interest.
Formal risk classification of “high risk” processing.
Notifications to supervisory authorities.
Consultation with data subjects or unions where required.

These elements must be completed by the client’s legal team or Data Protection Officer.

Practical Companion Use

A DPIA typically includes the following sections, with Mercury’s contribution noted:

DPIA Section	Mercury Contribution	Requires Legal Input
Description of processing	System description, data flow mapping	Contextual legal framing
Purpose of processing	Purpose declaration, evidence pack	Lawful basis analysis
Assessment of necessity	Evidence of minimization, retention policies	Legal proportionality test
Assessment of risks	Bias/safety test results, logging integrity	Legal classification
Safeguards in place	HITL SOP, access controls, hosting assurance	Binding contractual clauses
Consultation	N/A	Supervisory authority / DPO

Conclusion

DPIAs require both technical and legal expertise. Mercury Security provides the technical backbone—system evidence, governance artifacts, and audit results—while legal counsel ensures that the assessment satisfies GDPR requirements. This partnership ensures that organizations can demonstrate defensible compliance while maintaining legal validity.

References

European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679

European Union. (2024). Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union. https://eur-lex.europa.eu

ISO. (2023). ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system. International Organization for Standardization.

National Institute of Standards and Technology. (2023). AI Risk Management Framework (NIST AI RMF 1.0). Gaithersburg, MD: NIST.