DPIAs should happen before launch
A DPIA is most valuable when product, legal, security, and leadership can still change the processing design.
DPIAs and high-risk processing
Know when to run a DPIA, what to assess, who must review it, and how to keep mitigations connected to owners.
Plain English
What the chapter means in practice.
Operational takeaway
Treat a DPIA as a living risk record. Mitigations should become owner tasks, not disappear inside a signed PDF.
Checklist
What to document.
- Trigger DPIAs for sensitive data, AI, monitoring, profiling, and large-scale processing.
- Record risks, mitigations, residual risk, approvals, and review dates.
- Flag prior consultation needs when residual risk stays high.
Related workflows