The term privacy impact assessment (PIA), or data privacy impact assessment (DPIA) is introduced in Article 35 of the GDPR and it refers to the controller’s obligation to perform an impact assessment and document it before starting processing the data. It should be conducted when the processing is likely to result in high risk to the rights and freedoms of the data subjects.

A DPIA must describe the nature, scope, purposes and context of the processing. It should also identify and assess risk to individuals all the while identifying measures to mitigate them. Finally, the impact assessment should the necessity of the processing and the compliance measures taken. Assessing the risk means more than identifying and describing it. It also means to consider the likelihood of the risk happening and the severity of the consequences. The DPO may be consulted during the data privacy impact assessment and in the case of a risk you cannot mitigate on your own, relevant data protection authorities should be contacted.

Articles: 5,35,36,57

Recitals: 75,84,89,90,91,92,93,94,95,96