> For the complete documentation index, see [llms.txt](https://doc.dastra.eu/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doc.dastra.eu/en/useful-reminders/gdpr-key-concepts/impact-assessment.md). # Privacy impact assessment ### 📖 What is a PIA? The **Data Protection Impact Assessment (DPIA)**, provided for by [Article 35 of the GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e3546-1-1), is a **compliance mechanism** that aims to: * **Identify and minimise the risks** of infringement on the rights and freedoms of individuals, * **Prove compliance** with the GDPR, * And **integrate privacy from the design phase** (*Privacy by design*). > ⚖️ The PIA focuses on **risks to individuals**, not risks to the organisation. **PIA = Privacy Impact Assessment = DPIA = Data Protection Impact Assessment** *** ### 🧩 The three components of a PIA A PIA is structured around three major steps: 1. 📝 **Description of the processing** → Objectives, context, stakeholders, technologies, data involved. 2. ⚖️ **Assessment of necessity and proportionality** → Legal compliance analysis: purposes, legal bases, individual rights, retention periods, etc. 3. 🔐 **Risk study and security measures** → Identification of privacy risks and determination of control measures (technical and organisational). > 📘 The PIA is simultaneously **legal**, **technical** and **organisational**: it engages the whole project team. *** ### 🎯 Objective of the PIA The PIA enables an organisation to: * **Demonstrate compliance** (accountability principle), * **Anticipate risks** and compliance costs, * **Document choices** and design decisions, * **Build trust** with users, clients or employees. *** ### 🔍 When is a PIA required? A PIA is **mandatory** when processing is **likely to result in a high risk** to the rights and freedoms of individuals. #### Examples of processing activities concerned: * Intelligent video surveillance, * Automated profile scoring, * Large-scale collection of health data, * Use of biometrics or AI on personal data. {% hint style="info" %} Processing activities presenting at least **2 of the following criteria** (EDPB) are considered high risk: * Evaluation or scoring, * Automated decision-making with legal or similar effects, * Systematic monitoring, * Sensitive data, * Large scale, * Cross-referencing of data, * Vulnerable individuals, * Innovative use (AI, IoT, big data), * Blocking of a right or service, * Transfers outside the EU. {% endhint %} *** ### 🕐 When should it be conducted? The PIA must be carried out **before the implementation of the processing**, ideally from the design phase. It is a concrete application of the **Privacy by Design** principle. It must also be: * **Updated regularly** (every 3 to 5 years), * **Revised upon any significant change** to the processing, * **Linked to your record** in Dastra for continuous monitoring. > 🔁 The PIA is an **iterative process**: it accompanies the entire lifecycle of the processing activity. *** ### ⚙️ How to conduct a PIA? #### 1. Assess the necessity and proportionality of the processing Ask yourself the right questions: * Are the **purposes** determined, explicit and legitimate? * Is the **legal basis** clear? * Is data **minimised**, accurate and up to date? * Are **retention periods** limited? * Are **data subjects** properly informed? #### 2. Review the protection of individuals' rights * Transparent information, clear consent, right of access, erasure and objection. * Contracts with processors. * Safeguards for international transfers. * Corrective measures planned in case of a breach. #### 3. Analyse privacy risks For each **feared event**: * Identify the **potential impacts** on individuals (privacy breach, discrimination, reputational harm…). * Estimate the **severity** and **likelihood** of the risk. * Determine the **existing or planned protection measures**. * Assess the **residual risk** and, if necessary, propose **additional measures**. {% hint style="success" %} 💡 Final objective: reach an **acceptable level of residual risk**, documented and justified. {% endhint %} *** ### 🧠 Who should be involved? | Stakeholder | Role in the PIA | | ------------------------ | -------------------------------------------------------------- | | **Data controller** | Bears responsibility for the PIA and leads its implementation | | **DPO** | Advises, validates the methodology and assesses residual risks | | **CISO / IT department** | Provides technical expertise and security measures | | **Business teams** | Provide operational details of the processing | | **Processors** | Communicate necessary information for the assessment | | **Data subjects** | May be consulted or represented in certain cases | > 👥 The PIA is a collaborative process — it involves legal, technical and operational teams alike. *** ### 🤖 PIA and artificial intelligence The **AI Act** introduces a specific obligation to **document and assess high-risk AI systems**. Organisations must include: * The origin of training data, * Robustness tests and bias assessments, * Planned human oversight controls, * Transparency measures. Dastra allows you to link each **PIA** to an **AI system** to ensure **cross-compliance between GDPR and the AI Act**. *** ### 🧰 Dastra best practices * Centralise all your PIAs in the **"Record of processing activities" module**, * Use **predefined risk models** (EDPB, CNIL, ISO 29134), * Collaborate with teams via **comments and workflows**, * Export your PIAs as **PDF** for audits, * Schedule **automatic revision reminders**. *** ### 📘 For more information {% content-ref url="/pages/-M6E6sWom2H7F\_vNOCJk" %} [Impact analysis](/en/features/editer-le-registre/remplir-le-questionnaire/analyse-dimpact.md) {% endcontent-ref %} {% content-ref url="/pages/RY7aouLcykTlhn7qY0o2" %} [Questionnaires](/en/features/audit.md) {% endcontent-ref %} ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������ --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.dastra.eu/en/useful-reminders/gdpr-key-concepts/impact-assessment.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.