Data Protection and Privacy Impact Assessments


Data Protection and Privacy Impact Assessments Topic Page

Navigate by Topic

Privacy impact assessments and data protection impact assessments are valuable tools to gauge the ways projects, systems, programs, products or services impact the data an organization holds, and increasingly they are being required by law for certain data processing. Having a good understanding of what PIAs and DPIAs are, how to implement them and who needs to be involved can be the key to determining the true effect a new project will have on your organization.

This topic page provides resources, news, tools and guidance to gain more in-depth knowledge on PIAs and DPIAs.

Featured Resources


Key steps for meeting US state PIA obligations

This article outlines steps for managing comprehensive PIAs, including generating a project description, assessing data processing needs, and estimating data protection and privacy risks.
Read More


Building a Privacy Risk Framework for Accountability Through PIAs

In this web conference you will learn how to build a PIA framework that can establish the accountability needed to help manage privacy ris
Read More


The increasing importance of a DPIA

Adam Schlosser, CIPP/E, CIPP/US, founder of Bay Regulatory Strategy Group, explains why now is the time for companies to turn their attention to DPIAs.
Read More


Automation is not a silver bullet for underlying PIA process issues

This article outlines how to handle successful PIAs, privacy professionals need to assess what the product is, if it uses personal information, the risks that come with processing that kind of personal information, the impact that risk could have on the business and how to mitigate those risks.
Read More


What is and what isn’t subject to a DPIA under GDPR? An update

This article breaks down the draft lists from the EDPB, which offered its opinion on what activities need a data protection impact assessment.
Read More


What triggers a DPIA under the GDPR?

This infographic helps determine what kinds of activities are more likely to trigger a mandatory data protection impact assessment under the GDPR.
Read More

Samples, Templates and Forms

DPIA Template (d.pia.lab)

Vrije Universiteit Brussel’s Brussels Laboratory for Data Protection & Privacy Impact Assessments (the d.pia.lab) developed a template that conforms to the requirements of Articles 35–36 of the EU General Data Protection Regulation (GDPR) and reflects best practices for impact assessment. The template is available in both readable and editable formats. Read More

ICO: Sample DPIA Template

This template, published by the U.K. Information Commissioner's Office, offers an example recording the process and outcomes of a DPIA. It is meant as a complement to the ICO's DPIA guidance and the Criteria for an acceptable DPIA set out in European guidelines on DPIAs. Read More

Private Sector PIA Template

This template from British Columbia's Office of the Information and Privacy Commissioner aims to assist organizations in making the most of this tool to ensure Personal Information Protection Act compliance throughout an initiative’s lifespan.  Read More

ICO, SCC update DPIA template, guidance for surveillance cameras

The U.K. Information Commissioner's Office and Surveillance Camera Commissioner have worked together to update the SCC's data protection impact assessment template and guidance for surveillance cameras. The template was updated to reflect the requirements laid out in the EU General Data Protection Regulation and Data Protection Act 2018. "Surveillance systems can cause unnecessary intrusion into people’s daily lives. It is therefore imperative that a Data Protection Impact Assessment is carried ... Read More

Additional News and Resources

DPIA Template (d.pia.lab)

Vrije Universiteit Brussel’s Brussels Laboratory for Data Protection & Privacy Impact Assessments (the d.pia.lab) developed a template that conforms to the requirements of Articles 35–36 of the EU General Data Protection Regulation (GDPR) and reflects best practices for impact assessment. The template is available in both readable and editable formats. Read More

Switzerland DPA releases data protection impact assessment guide

Switzerland's Federal Data Protection and Information Commissioner, published an information sheet for conducting data protection impact assessments. Following the passage of the revised Data Protection Act, the document instructs federal bodies and citizens to "prepare a data protection impact assessment if the planned data processing entails a high risk for the (personal data) or the fundamental rights of the persons concerned."Full story... Read More

Steps to conducting a successful PIA

Salinger Privacy published a guide to ensure a successful privacy impact assessment. The tips include doing more than a legal compliance check, review the entire “ecosystem” of the technology the PIA is being conducted for, testing for “necessity, legitimacy and proportionality,” considering customer expectations, and using multiple privacy risk mitigation “levers.”Full Story... Read More

ANPD releases DPIA guidance

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published a Q&A outlining proper procedures for data protection impact assessments. The 15-question document covers basic inquiries the covered entities have regarding process, preparation and requirements for performing DPIAs. The regulator indicated the list is a work in progress considering "additional obligations and parameters may be established by the ANPD in the future."Full Story ... Read More

OPC publishes organizational tips for conducting PIAs

The Office of the Privacy Commissioner of Canada published a guide with five tips for improving privacy impact assessments. The OPC found the missteps organizations take when conducting PIAs include not understanding their legal authority to collect certain personal data, defining the scope of a PIA for “clear analysis,” and creating and implementing an action plan based on the PIA.Full Story... Read More

Utilizing PIAs to limit institutional discrimination and bias

I view privacy as sitting at the convergence of what is legal, what is possible and what is ethical regarding the composition of what makes a person unique. While there are various forms of privacy, I’m going to focus on information privacy because it is perhaps the easiest to conceptualize in this situation. As a privacy community, we seem to have a firm grasp on what is legally permissible when using a person’s data. Likewise, if you have ever worked with an IT department, they are rightly qu... Read More

OPC’s Guide to the PIA Process

The Office of the Privacy Commissioner of Canada published this guide on the privacy impact assessment process. The guidance clarifies the OPC's role in the PIA process and sets out the OPC's expectations of government institutions in regard to PIAs. Read More

Data-processing agreements from 30,000 feet

“Processing by a processor shall be governed by a contract or other legal act…” (Article 28, GDPR) Commonly referred to as a “data processing agreement” this type of contract governs the relationship between a controller, a processor, and the data being processed. These contracts can come in many forms, but the EU General Data Protection Regulation now in effect, more and more organizations will be updating their vendor contracts to include a data processing agreement, or a data processing... Read More

Preparing for the GDPR: DPOs, PIAs, and Data Mapping

(November 2016) – The IAPP-TRUSTe 2016 study on privacy practices asked 244 privacy professionals about their organizations’ progress toward GDPR compliance, such as whether they have a data protection officer, as well as questions about data hygiene habits like privacy assessments and data inventory and mapping exercises. Read More

PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design

Original broadcast date: August 24, 2016 Join us in this virtual discussion as we walk you through the process of creating a PIA, and hear us tackle the critical questions including, when and why a PIA is a necessary and useful tool, how PIAs evolve over time, what templates should you use, or should you use a template at all, what resources are at your disposal, how to continue to benchmark and improve your PIA over time, and once you've completed a PIA, how do you share its value with upper management and others in the organization among others. Read More