Privacy impact assessment
Learn what a privacy impact assessment is.
📖 What is a PIA?
The Data Protection Impact Assessment (DPIA), provided for by Article 35 of the GDPR, is a compliance mechanism that aims to:
Identify and minimise the risks of infringement on the rights and freedoms of individuals,
Prove compliance with the GDPR,
And integrate privacy from the design phase (Privacy by design).
⚖️ The PIA focuses on risks to individuals, not risks to the organisation.
PIA = Privacy Impact Assessment = DPIA = Data Protection Impact Assessment
🧩 The three components of a PIA
A PIA is structured around three major steps:
📝 Description of the processing → Objectives, context, stakeholders, technologies, data involved.
⚖️ Assessment of necessity and proportionality → Legal compliance analysis: purposes, legal bases, individual rights, retention periods, etc.
🔐 Risk study and security measures → Identification of privacy risks and determination of control measures (technical and organisational).
📘 The PIA is simultaneously legal, technical and organisational: it engages the whole project team.
🎯 Objective of the PIA
The PIA enables an organisation to:
Demonstrate compliance (accountability principle),
Anticipate risks and compliance costs,
Document choices and design decisions,
Build trust with users, clients or employees.
🔍 When is a PIA required?
A PIA is mandatory when processing is likely to result in a high risk to the rights and freedoms of individuals.
Examples of processing activities concerned:
Intelligent video surveillance,
Automated profile scoring,
Large-scale collection of health data,
Use of biometrics or AI on personal data.
Processing activities presenting at least 2 of the following criteria (EDPB) are considered high risk:
Evaluation or scoring,
Automated decision-making with legal or similar effects,
Systematic monitoring,
Sensitive data,
Large scale,
Cross-referencing of data,
Vulnerable individuals,
Innovative use (AI, IoT, big data),
Blocking of a right or service,
Transfers outside the EU.
🕐 When should it be conducted?
The PIA must be carried out before the implementation of the processing, ideally from the design phase. It is a concrete application of the Privacy by Design principle.
It must also be:
Updated regularly (every 3 to 5 years),
Revised upon any significant change to the processing,
Linked to your record in Dastra for continuous monitoring.
🔁 The PIA is an iterative process: it accompanies the entire lifecycle of the processing activity.
⚙️ How to conduct a PIA?
1. Assess the necessity and proportionality of the processing
Ask yourself the right questions:
Are the purposes determined, explicit and legitimate?
Is the legal basis clear?
Is data minimised, accurate and up to date?
Are retention periods limited?
Are data subjects properly informed?
2. Review the protection of individuals' rights
Transparent information, clear consent, right of access, erasure and objection.
Contracts with processors.
Safeguards for international transfers.
Corrective measures planned in case of a breach.
3. Analyse privacy risks
For each feared event:
Identify the potential impacts on individuals (privacy breach, discrimination, reputational harm…).
Estimate the severity and likelihood of the risk.
Determine the existing or planned protection measures.
Assess the residual risk and, if necessary, propose additional measures.
💡 Final objective: reach an acceptable level of residual risk, documented and justified.
🧠 Who should be involved?
Data controller
Bears responsibility for the PIA and leads its implementation
DPO
Advises, validates the methodology and assesses residual risks
CISO / IT department
Provides technical expertise and security measures
Business teams
Provide operational details of the processing
Processors
Communicate necessary information for the assessment
Data subjects
May be consulted or represented in certain cases
👥 The PIA is a collaborative process — it involves legal, technical and operational teams alike.
🤖 PIA and artificial intelligence
The AI Act introduces a specific obligation to document and assess high-risk AI systems. Organisations must include:
The origin of training data,
Robustness tests and bias assessments,
Planned human oversight controls,
Transparency measures.
Dastra allows you to link each PIA to an AI system to ensure cross-compliance between GDPR and the AI Act.
🧰 Dastra best practices
Centralise all your PIAs in the "Record of processing activities" module,
Use predefined risk models (EDPB, CNIL, ISO 29134),
Collaborate with teams via comments and workflows,
Export your PIAs as PDF for audits,
Schedule automatic revision reminders.
📘 For more information
Impact analysisQuestionnaires������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Last updated
Was this helpful?