Definition · Plain-language
Privacy impact assessment (PIA/DPIA)
A privacy impact assessment is a structured process for identifying and minimising the privacy risks of a project before and as it is carried out.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
What the assessment covers
A DPIA systematically describes the proposed processing — what data, why, how and for how long — and then evaluates it. It assesses whether the processing is necessary and proportionate to its purpose, identifies and weighs the risks to individuals’ rights and freedoms, and records the measures chosen to reduce those risks, such as minimisation, de-identification or access controls. The output is a documented, reasoned account that supports accountability and can be revisited as a project evolves.
When a DPIA is required
Under GDPR Article 35, a DPIA is required where processing is likely to result in a high risk to individuals — for example, large-scale processing of special category data, systematic monitoring, or innovative uses of technology. Supervisory authorities publish lists of operations that trigger the requirement. Even where it is not strictly mandatory, carrying out an assessment is widely regarded as good practice for any project handling significant personal data, including much academic research.
Why it matters for research
Research projects often involve sensitive data, novel methods or data linkage, all of which can raise privacy risk. Conducting a privacy impact assessment early helps teams design in safeguards rather than retrofitting them, supports informed consent, and clarifies responsibilities between controllers and processors. It complements FAIR and open-data goals by showing that risks to participants have been considered and managed, which in turn builds trust in how research data is shared and reused.
Key facts
At a glance
- Definition: process to identify and minimise a project’s privacy risks
- GDPR term: data protection impact assessment (DPIA)
- Source: GDPR Article 35
- Required when: processing is likely high risk to individuals
- Covers: description, necessity, proportionality, risk, mitigations
- Timing: conducted before and revisited during processing
Common misconceptions
What people often get wrong
Often heard: A DPIA is a one-off form you complete once at the start of a project.
Actually: A DPIA is an ongoing process. It should be revisited as a project changes, because new data, methods or risks can alter the assessment after the initial documentation.
Often heard: Every processing activity legally requires a DPIA.
Actually: GDPR mandates a DPIA specifically for processing likely to result in high risk. For lower-risk processing it is good practice but not strictly required.
Often heard: A DPIA is purely a paperwork exercise with no effect on the project.
Actually: A DPIA is intended to shape the design of processing — selecting safeguards such as minimisation and de-identification — not merely to document decisions already made.
Going deeper
