DPIA for Gemini Enterprise projects: practical template (LGPD + ANPD)

TL;DR The DPIA (Data Protection Impact Assessment / RIPD in Brazil) is required by the ANPD in any corporate AI project with personal data at large scale. In Gemini Enterprise it becomes straightforward — as long as you already have training opt-out, residency in sa-east1, DLP at ingest and audit log. 10-section template applied to healthcare, education and financial clients.

Brazil's LGPD (Law 13,709/2018) provides for the DPIA in Art. 38. The ANPD, through Resolutions CD/ANPD No. 4/2023 and No. 18/2024, made it clear: AI projects that process personal data at large scale, involve automated decisions with legal effects, or use sensitive data need a documented DPIA available for inspection.

This post brings the template that Autenticare applies in Gemini Enterprise projects — validated with healthcare, education and financial services clients.

When is the DPIA mandatory

Processing at large scale (thousands of data subjects or significant volume of data).
Use of sensitive data (health, biometrics, orientation, racial origin, union membership).
Data of children and adolescents.
Automated decisions with relevant effects (credit, hiring, fraud).
Systematic monitoring of data subjects.
Any project where legitimate interest is the legal basis.

In practice, 90% of corporate agent projects fit at least one of these criteria. Have the DPIA ready.

DPIA structure (Autenticare template)

1. Controller and data protection officer identification

Name, tax ID, DPO contact. If there is a processor (Google Cloud), register it as well with reference to the contract and DPA.

2. Processing description

What the agent does, which data sources it consumes, what outputs it produces. Data flow diagram recommended. In Gemini Enterprise: explicitly indicate that data stays in sa-east1 (São Paulo) and that the training opt-out is active.

3. Purpose and legal basis

For each data category: specific purpose (not just "improve service") and corresponding legal basis (consent, contract execution, legal obligation, legitimate interest, etc.). If using legitimate interest, include the balancing test.

4. Necessity and proportionality

Demonstrate that:

The data is minimal for the purpose (data minimization principle).
There is no less invasive alternative (e.g., aggregation, pseudonymization).
The benefit outweighs the risk to the data subject.

5. Data categories and subjects

Table with:

Categories: identification, contact, financial, sensitive, behavioral.
Subjects: employees, customers, third parties, minors.
Estimated volume and frequency.

6. Sharing and international transfers

Critical point in cloud AI. For Gemini Enterprise:

Data at rest: sa-east1 (Brazil).
Models running in sa-east1 (confirm per agent — some still run in us-central1).
Google administrative logs: may cross borders — justify with standard contractual clauses from the Google Cloud DPA.
Zero sharing for training — attach opt-out confirmation.

7. Technical and administrative security measures

In Gemini Enterprise, list:

Encryption at rest (AES-256) and in transit (TLS 1.3).
CMEK if sensitivity requires.
VPC Service Controls to prevent exfiltration.
IAM with least privilege and mandatory MFA.
DLP at ingest (masking CPF, email, phone, sensitive data).
ACL at retrieval via Workspace groups.
Complete audit log (Cloud Audit Logs + application logs).
Defined retention with automatic deletion.

8. Risk analysis

Table with risk × probability × impact × mitigation. Common examples in AI:

Hallucination with personal data: mitigate with mandatory citations and evaluation gold set.
Bias in automated decisions: mitigate with quarterly fairness auditing.
Prompt injection: mitigate with input sanitization and tool isolation.
Improper access to documents: mitigate with Drive-inherited ACL.
Re-identification in logs: mitigate with identifier hashing in logs.

9. Data subject rights

How the project addresses:

Access and copy (LGPD Art. 18).
Correction and deletion.
Review of automated decisions (Art. 20).
Portability when applicable.
Contact channel (DPO email, form).

10. Conclusion and review plan

DPO opinion on the acceptability of the processing. Date of next review (recommended: annual or at each material change).

⚠️ Errors that invalidate the DPIA Too generic ("we use AI for productivity" does not describe processing — be specific per agent). No legitimate interest test when that is the legal basis. No opt-out evidence (attach screenshot or configuration). No review plan — the ANPD considers it a "living" document. Signed only by IT — must involve the DPO, legal and business teams.

How Autenticare delivers

In Gemini Enterprise projects, the DPIA is delivered in 2–3 weeks as a parallel deliverable to technical implementation. We include:

Template filled with the real architecture.
Legitimate interest test when applicable.
Configuration evidence (opt-out, region, DLP).
Risk matrix with implemented mitigations.
DPO training for the client to maintain the document.

A good DPIA is a boring DPIA: specific, dated, signed by the DPO + legal + business. Generic doesn't protect the company or the data subject.

DPIA Gemini Enterprise

Want the editable template applied to your project?

.docx template with 10 sections + legitimate interest test + risk matrix + configuration evidence. Delivery in 2–3 weeks in parallel with technical implementation.

Request template → Training opt-out