How to Conduct a Privacy Impact Assessment in 7 Steps

The Privacy Impact Assessment (PIA) is one of the most complex tasks among legal obligations. It's essentially a risk analysis specific to personal information risks. Here's how to do one, step by step.

To understand when a PIA is mandatory and the legal requirements, see Privacy Impact Assessments — Article 3.3.

Step-by-step process

  1. 1

    Confirm a PIA is required

    Technology project involving personal information? Cross-border data transfer? If yes, continue. Otherwise, you don't need a PIA.

  2. 2

    Describe the project in one paragraph

    Objective, data collected, people concerned, systems used. Keep it simple.

  3. 3

    Map the data flow

    Where does the data come from? Where does it go? Who has access? Draw a simple diagram with arrows.

  4. 4

    Make a list of risks

    For each step: what could go wrong? Unauthorized access, loss, leak, misuse. Note everything.

  5. 5

    Add safeguards

    For each risk: what measure reduces it? Encryption, restricted access, contracts, training. One measure per risk.

  6. 6

    Decide if risks are acceptable

    Acceptable risk = yes. Risk too high = modify the project or abandon it.

  7. 7

    Save the report

    File the document. Keep it for at least 5 years. You'll need it if the CAI asks.

Tips and warnings

Common mistakes

  • Doing the PIA after the fact. The law says prior to. Do it before launching the project.
  • Spending 40 hours on a small project. Stay proportionate. Small project = small PIA.
  • Forgetting vendors. Their practices are part of your analysis.

Frequently asked questions

How long does it take?

Simple project (new vendor): a few hours. Complex project (new system): 1-2 days or more.

Do I need to send the PIA to the CAI?

No. Keep it in your files. The CAI may request it, but you don't have to submit it proactively.

I already use Mailchimp/AWS/Google. Is it too late for a PIA?

Do it anyway. Better late than never. Document the risks and your current safeguards.

Who should conduct the PIA?

The RPRP supervises. The project team contributes. For larger projects, involve IT and legal counsel.

Where can I find the detailed legal requirements?

See our guide on PIAs for the legal text and complete requirements.

Related tool

PIA template with risk assessment grid.

Download the template