Privacy Impact Assessments: A GDPR Requirement

Post Date: 08/03/2016
feature image

If you are not doing privacy impact assessments (PIAs) – also known as data protection impact assessments (DPIAs) in EU law – there is no time like the present to get started. PIAs are a systematic process to assess privacy risks to individuals in the collection, use, and disclosure of their personal data. Specifically, data controllers must conduct PIAs where privacy breach risks are high so that the risks to data subjects are minimized.

What is the purpose of privacy impact assessments?

The GDPR introduces DPIAs as a means to identify high risks to the privacy rights of individuals when processing their personal data. When these risks are identified, (which we’ll explore in more detail later in this blog series), the GDPR expects that an organization formulates measures to address these risks. Those measures may take the form of technical controls such as encryption, pseudonymization, or anonymization of data.

Impact assessments, like security assessments, provide a good foundation to assess the potential and ongoing risk of systems and data flows within them. Privacy and data security teams can then recommend and monitor appropriate controls.

When should you conduct privacy impact assessments?

The impact assessment should happen before you start processing personal data. It should focus on topics like the systematic description of the processing activity and the necessity and proportionality of the operations. Ideally, impact assessments should always be done any time that you will be working with data that creates high risk to individuals. In reality, the PIA process may be used to help determine whether or not this is the case. So, in practice it’s a very good idea to make them a standing operating procedure for your privacy by design programs.

How can you use privacy impact assessments?

Beyond checking a box toward regulatory compliance, PIAs allow your privacy program managers and data protection officers to develop a service level agreement (SLA) with their colleagues in IT and the business. PIAs can be incorporated as part of the standard process of concept planning, development, test and deployment, and ongoing monitoring. They also allow privacy teams to implement privacy by design and by default and a risk-based approach to data protection – which are both key components of the GDPR.

With automation, a good PIA process can also scale the impact of what are typically small privacy organizations to match their larger counterparts in IT, security, and the business. Privacy can then be a core part of standing operating procedures instead of seen as a hurdle to deployment.

AvePoint Privacy Impact Assessment (APIA) System

AvePoint and the International Association of Privacy Professionals (IAPP) have teamed up to design and build the industry’s first no-cost, fully-automated system for conducting privacy impact assessments.  The AvePoint Privacy Impact Assessment (APIA) System, used by more than 3,000 global organizations, automates the process of evaluating, assessing, and reporting on the privacy implications of enterprise IT systems and processes. APIA:

  • Is 100% free, with no limitations or other requirements for use
  • Automates and centralizes what has traditionally been a manual, decentralized, tedious process
  • Helps organizations comply with privacy regulations by analyzing how information is collected and managed
  • Reports on assessments for stakeholder review
  • Involves compliance and privacy from the beginning of a project, not at the end
  • Extends assessment capabilities to include security, risk, and other vulnerabilities and processes

To learn more about APIA visit IAPP’s website.

For more information about how to prepare for GDPR requirements, sign up for our guide.


Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities. Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School. LinkedIn: Twitter:

View all post by Dana S.

Subscribe to our blog