A Privacy Impact Assessment (PIA) is a systematic evaluation of how a proposed project, system, or processing activity will affect the privacy of individuals whose personal data is involved. While the PIA predates the GDPR, its principles have been formalised in the regulation's Data Protection Impact Assessment (DPIA) requirement under Article 35, which mandates such assessments for processing likely to result in high risk to individuals' rights and freedoms.
A well-conducted PIA identifies privacy risks early in the project lifecycle, when changes are least costly to implement, and recommends mitigation measures to reduce those risks to acceptable levels. It examines data flows, retention periods, access controls, third-party sharing, and data subject rights mechanisms, producing a documented record that demonstrates the organisation's commitment to privacy compliance and informed decision-making.