Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Browse impact assessmentsCreate a DPIAEdit a DPIADPIA detail page
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Browse impact assessments

List and filter all Data Protection Impact Assessments (DPIA).

The Data Protection Impact Assessments screen is your central inventory of every DPIA your company has carried out, is currently working on, or has shared with related organizations. Data Protection Officers, privacy managers and compliance coordinators come here every day to scan what already exists, pick up the next DPIA to review, start a new one when a high-risk processing activity is identified, or pull together evidence for an auditor. Because a DPIA in DPMS connects to many other elements — Records of Processing Activities, Assessments, Assets, Tasks, Risk Scenarios and Consultation Processes — this list also acts as the launch pad to navigate from one piece of compliance evidence to another.

In short: this is where DPIA work begins and where it gets monitored.

How to open it

From the main left-hand sidebar, open the Data Protection area (the same area that contains Records of Processing Activities and Legitimate Interest) and click Data Protection Impact Assessment. The page header that loads reads "Data Protection Impact Assessment".

Access depends on your permissions. Users with the full DPIA read permission see every DPIA in the company; users with the "assigned only" permission see the screen but the list is automatically narrowed to records they are personally responsible for or assigned to. Without either permission, DPMS shows a "Forbidden" page instead of the list. Importing DPIAs from a file is gated by a separate import permission — without it, the Import option in the Create menu does nothing.

Screenshot

What you see

The screen follows DPMS's standard module layout. The persistent left sidebar carries the main navigation, the top bar holds the company switcher, language menu and user menu, and the rest of the area is dedicated to the DPIA list.

Just under the page title sits the action bar — a strip that contains, from left to right, the search field, the filter builder, the status tabs (All, Open, In Progress, Completed and similar), the standard selector (a dropdown that re-frames the Risk column according to a chosen risk standard), the export buttons for Excel and JSON, and the blue Create button on the far right. A small chip nearby tells you how many records currently match your view.

Below the action bar is the DPIA table. Each row is a single DPIA, and the table loads more rows as you scroll. On the left of every row is a checkbox for selecting rows in bulk; on the right, hovering reveals trailing action icons (open, edit, share, delete). When you select one or more rows, a thin selection bar appears above the table with the bulk actions that apply to your selection.

The table shows four main columns: Name, Classification, Risk (labelled as "Risk target") and Organizational Unit. DPIAs that come from a parent organization through inter-company sharing are visually marked so subsidiaries can quickly tell central DPIAs apart from locally created ones.

Working with this screen

Finding a specific DPIA

The fastest way to locate a DPIA is to type a keyword into the search field at the top left — for example "newsletter", "HR onboarding" or "video surveillance". The search is debounced and runs against names, descriptions, organizational units and classification tags. It always works in combination with the active tab and any filter you've set, so if a result you expect doesn't appear, check that the tab and filters aren't excluding it.

For more structured searches, use the filter builder next to the search field. It lets you assemble field-by-field conditions like "Organizational Unit equals Marketing AND Status equals Draft" or "Classification contains Profiling". A DPO who manages many business units typically pins a filter like "my unit only"; auditors often filter by classification tag to focus on high-risk processing.

The tabs in the action bar are saved status filters. They sit on top of whatever search and filter you've defined, so you can use them to flip between, say, only Open DPIAs that match your current filter, or only Completed ones. DPMS remembers the last tab you used and re-opens that view next time you come back — useful if you always start your morning on "In Progress", but worth knowing if a colleague says "I see no DPIAs" while staring at the Completed tab.

Starting a new DPIA

When a new processing activity has been flagged as high-risk and needs a formal assessment, click Create at the top right and choose Create from the drop-down. DPMS opens a blank DPIA form on the General tab where you fill in the name, organizational unit, classification tags, the linked Record of Processing Activity, the "Identify the need for a DPIA" narrative, and the description of the processing. After you save, you return to this list and the new DPIA appears, typically in Draft status.

Before creating, it's good practice to scan the list (or use search) to confirm a DPIA doesn't already cover the same processing — DPIAs are heavyweight documents, and duplicates make audits harder.

Importing DPIAs prepared elsewhere

If group headquarters or a sister company has prepared DPIAs as JSON files (using the Export to JSON option on this same screen in their tenant), you can bring them into your tenant in one go. Click Create, then choose Import. A file picker opens that accepts one or many .json files. Once you confirm, DPMS uploads them, shows a brief loading state, refreshes the list and the new DPIAs appear on the All tab.

Two things to know:

  • The Import option only accepts the JSON format DPMS itself produces. Generic JSON files will silently fail validation on the server.
  • You need the dedicated DPIA import permission. If you don't have it, the file picker is disabled even though the menu entry is visible.

After import, open each new DPIA and adjust its organizational unit, responsible person and any locally relevant links — imported records carry over their original metadata, which usually needs to be tailored to your tenant.

Re-framing the Risk column for a specific standard

The Risk column shows a calculated risk score for each DPIA. Which standard the score reflects depends on the standard selector dropdown in the action bar — for example, ISO 27005, the EDPB DPIA methodology, or any custom standard configured in your Risk Settings.

If your company runs more than one risk methodology in parallel, switch the selector to the standard you care about right now and the Risk column re-renders accordingly. Selecting "All" shows the risk values across every standard the DPIA is configured against. A blank cell in the Risk column does not necessarily mean "no risk" — it usually means the DPIA has no scenarios under the standard you currently have selected. Switching the selector to "All" is the quickest way to confirm.

Exporting a snapshot for auditors or backup

Auditors regularly ask for a quarterly snapshot of completed DPIAs. To produce one, switch to the Completed tab, optionally narrow the list further with a filter (for example by Organizational Unit), then click Export to XLSX in the action bar. DPMS produces a spreadsheet that respects your active tab, filter and search — exactly what's currently on screen.

If you instead need to migrate DPIAs to another DPMS tenant (for example, replicating a template from group HQ to a subsidiary), use Export to JSON. The resulting file is the same format the Import option above expects, so you can hand it to a colleague in the other tenant for a clean round-trip.

Working on multiple DPIAs at once

Selecting rows with the checkboxes opens up bulk actions in a thin bar above the table:

  • The Sharing bulk action opens the Group Sharing tab of the selected DPIAs so you can share or relink them with subsidiaries or other audiences. Useful when a central DPO needs to push finalized DPIAs out to multiple companies.
  • The Layer-group bulk action applies a layer of standards to the selected DPIAs in one operation, opening the Standards tab so you can confirm the change. This is the practical way to introduce a new standard across an existing DPIA portfolio.
  • The bulk export buttons (XLSX and JSON) honor your selection rather than the whole filtered list.
  • A delete bulk action is also available for DPIAs that should no longer exist.

Sharing requires the publish permission on DPIAs; layer-group operations require create or edit permission. Without those permissions the buttons are not available.

Opening a DPIA to keep working on it

Click the row's name to open the DPIA in its detail view, which lands on the General tab. From there the detail screen exposes everything else: Balancing of Interests, Tasks, linked Assessments and Assets, Standards, Risk Scenarios, Implemented Controls, Current Risk, Suggested Controls, Treatment Plan and Treatment Status, Manage Access, Workflow Overview, and the Consultation Process tab.

If you only have read permission, the row click still works — you just open the detail in read-only mode. To jump straight into editing, use the trailing edit icon that appears on hover at the right end of each row (visible only if you have edit rights).

Field reference

The table on this screen shows the following columns:

  • Name — The DPIA's title in your active language. If a translation isn't available in your language, DPMS falls back to the next available one. Empty values are unusual but can occur on legacy records — the name is now a required field on creation.
  • Classification — A comma-separated list of classification tags describing what type of processing the DPIA covers (for example, "Profiling", "Special category data", "Large-scale monitoring"). Tags are translated when possible. An empty value simply means no classification was assigned.
  • Risk (Risk target) — The DPIA's currently calculated risk under the standard selected in the standard selector. Clicking this cell takes you into the relevant risk tab inside the DPIA detail. A blank cell means no risk has been computed for that particular standard — usually because scenarios or controls are still missing.
  • Organizational Unit — The internal unit that owns the DPIA (for example, HR, Marketing, IT). Useful for sorting and filtering by department.

DPMS may also display a small indicator on rows that have an outstanding change request, so you can spot DPIAs awaiting review without opening them.

How this connects to the rest of DPMS

This screen is the hub of the DPIA workflow. Everything outbound from it points to a more specific work area:

  • Clicking a row goes to the DPIA detail page, where the actual assessment work happens (description of processing, balancing of interests, scenarios, controls, treatment plan, workflow approvals, consultation processes).
  • The Create menu starts either a fresh DPIA form or an import flow.
  • Bulk actions for sharing and standards layering open the relevant tab of the DPIA detail directly.
  • Trailing edit actions on each row jump into a specific tab of the edit view, so you can land directly on, say, Tasks, Assessments, Risk Scenarios or Treatment Plan.

This list is also a frequent destination from elsewhere. The Dashboard's DPIA tile, global search, and "linked DPIAs" panels on Records of Processing, Assessments, Assets, Risk Scenarios, Tasks and Consultation Processes all eventually navigate users back here — either directly or via a DPIA detail. Workflow notifications about a DPIA awaiting review come with a deep link straight into the relevant DPIA, but this list is the natural fallback when you need to look at related ones.

After working on this screen, the typical next steps are: opening individual DPIAs to continue assessment work; triggering or progressing a workflow approval from the detail view; creating a Consultation Process from inside a DPIA when works councils or supervisory authorities need to be involved; or, for auditors, simply taking the exported XLSX snapshot away as evidence.

Tips & common pitfalls

Tip: If you can't find a DPIA you know exists, check three things in order — the active tab (DPMS remembers your last one), the filter builder, and the search box. The empty state is far more often a leftover filter than a missing record.
Heads up: A blank Risk cell does not mean "low risk" or "no risk". It means the DPIA has not been scored under the standard currently selected in the standard selector. Switch the selector to "All" to confirm.
  • Read-only-to-assigned users see a smaller list. If a colleague reports missing rows, check whether they have the full DPIA read permission or only the "assigned only" variant — the latter automatically narrows the list to DPIAs they own or are assigned to.
  • Row click goes to the detail, not directly to edit. This is intentional, so users with read-only permission can still inspect a DPIA. To open the editable form, use the pencil icon that appears on hover at the right end of the row.
  • Imports must come from DPMS. The Import option only accepts JSON files exported from another DPMS tenant via Export to JSON on this same screen. Arbitrary JSON will fail validation server-side.
  • Filters survive navigation within the module. Jumping into a DPIA detail and back keeps your filters and search intact; navigating fully out of the DPIA module clears them. Use this to your advantage when triaging a queue.
  • Don't create duplicates. Before clicking Create, search for existing DPIAs that may already cover the same processing — duplicate DPIAs are confusing for auditors and hard to clean up later.


Was this article helpful?

English
Powered by Product Fruits