Introduction to Resource Center
This page provides an overview of the IAPP's Resource Center offerings.

Contact Resource Center
For any Resource Center related inquiries, please reach out to resourcecenter@iapp.org.

Data Protection and Privacy Impact Assessments

Image

Privacy impact assessments and data protection impact assessments are valuable tools to gauge the ways projects, systems, programs, products or services impact the data an organization holds, and increasingly they are being required by law for certain data processing. Having a good understanding of what PIAs and DPIAs are, how to implement them and who needs to be involved can be the key to determining the true effect a new project will have on your organization.

This topic page provides resources, news, tools and guidance to gain more in-depth knowledge on PIAs and DPIAs.

Featured Resources

Privacy Risk Framework for Accountability Through PIAs

In this web conference you will learn how to build a PIA framework that can establish the accountability needed to help manage privacy risk, leading practices for creating PIA/DPIAs in various environments and how to create streamlined workflows to collaborate with data owners to fill PIA/DPIAs.
Read More

The increasing importance of a DPIA

Adam Schlosser, CIPP/E, CIPP/US, founder of Bay Regulatory Strategy Group, explains why now is the time for companies to turn their attention to DPIAs.
Read More

What triggers a DPIA under the GDPR?

The IAPP has created this infographic to help you determine what kinds of activities are more likely to trigger a mandatory data protection impact assessment under the EU General Data Protection Regulation.
Read More

Back to top

Latest News and Resources

DPIA Template (d.pia.lab)

Vrije Universiteit Brussel’s Brussels Laboratory for Data Protection & Privacy Impact Assessments (the d.pia.lab) developed a template that conforms to the requirements of Articles 35–36 of the EU General Data Protection Regulation (GDPR) and reflects best practices for impact assessment. The template is available in both readable and editable formats. Read More

queue Save This

Steps to conducting a successful PIA

Salinger Privacy published a guide to ensure a successful privacy impact assessment. The tips include doing more than a legal compliance check, review the entire “ecosystem” of the technology the PIA is being conducted for, testing for “necessity, legitimacy and proportionality,” considering customer expectations, and using multiple privacy risk mitigation “levers.”Full Story... Read More

queue Save This

Automation is not a silver bullet for underlying PIA process issues

For over two decades, a privacy impact assessment has been an essential part of the privacy professional’s toolkit for understanding and mitigating privacy risks. In that time, there have been significant strides in automation of the PIA process. Automated assessment tools can do a lot of the heavy lifting for you, but the design and execution of a system that manages PIAs still needs a human element to make the PIA process successful. Poorly designed PIA forms that are not in tune with organiz... Read More

queue Save This
OPC publishes organizational tips for conducting PIAs
(IAPP, January 2023)
Guide to Undertaking Privacy Impact Assessments
(OAIC, September 2021)
Interactive Advertising Bureau — GDPR Data Protection Impact Assessments for Digital Advertising under the GDPR
(IAB, November 2020)
EDPS infographic: DPIAs in a nutshell
(EDPS, July 2020)
Utilizing PIAs to limit institutional discrimination and bias
(IAPP, June 2020)
OPC’s Guide to the PIA Process
(OPC, March 2020)
What is and what isn’t subject to a DPIA under GDPR? An update
(IAPP, February 2020)
Data-processing agreements from 30,000 feet
(IAPP, May 2018)
White Paper – Preparing for the GDPR: DPOs, PIAs, and Data Mapping
(IAPP, November 2016)
Web Conference: PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design
(IAPP, October 2016)
Making Privacy Impact Assessment More Effective
(Trilateral Research & Consulting, April 2014)
Ten Steps to a Quality Privacy Program, Part Four: Privacy Impact Assessments
(IAPP, October 2013)
OMB Memorandum M-03-22
(IAPP, April 2013)
Conducting a privacy gap analysis: A primer for privacy officers
(IAPP, October 2011)
View More Resources
Back to top

Laws & Regional Guidance

EU Member State DPIA Whitelists, Blacklists and Guidance

Data protection authorities of many EU member states have published draft lists of data processing activities that would trigger the need for a data protection impact assessment in that country. The European Data Protection Board weighed in on the drafts, you can find its opinions here. And IAPP Westin Fellow Müge Fazlioglu, CIPP/E, CIPP/US, has written an analysis of the opinions here. IAPP extern Darya Balybina, CIPP/E, CIPP/US, CIPM has written an analysis, "What is and what isn't subject t... Read More

queue Save This
Back to top

Samples, Templates and Forms

DPIA Template (d.pia.lab)

Vrije Universiteit Brussel’s Brussels Laboratory for Data Protection & Privacy Impact Assessments (the d.pia.lab) developed a template that conforms to the requirements of Articles 35–36 of the EU General Data Protection Regulation (GDPR) and reflects best practices for impact assessment. The template is available in both readable and editable formats. Read More

queue Save This

ICO: Sample DPIA Template

This template, published by the U.K. Information Commissioner's Office, offers an example recording the process and outcomes of a DPIA. It is meant as a complement to the ICO's DPIA guidance and the Criteria for an acceptable DPIA set out in European guidelines on DPIAs. Read More

queue Save This

Private Sector PIA Template

This template from British Columbia's Office of the Information and Privacy Commissioner aims to assist organizations in making the most of this tool to ensure Personal Information Protection Act compliance throughout an initiative’s lifespan.  Read More

queue Save This
Back to top