Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Impact Assessments (IA)

Data Protection Officers, compliance officers, and risk managers use the Impact Assessments screen to create, track, and formally sign off every DPIA required under GDPR Article 35 — from the first identification of a high-risk processing activity all the way through risk evaluation, treatment planning, and approval.

The Impact Assessments screen is the central workspace for managing Data Protection Impact Assessments (DPIAs) in DPMS. If your organisation is planning — or already running — a processing activity that is likely to present a high risk to individuals, this is where you document the legal justification, assess the risk scenarios, record the controls you have put in place, and obtain formal sign-off. The screen is used daily by DPOs who need to keep DPIAs moving through their lifecycle, by risk managers who evaluate likelihood and severity, and by compliance officers and auditors who need a clear evidence trail. DPIAs in DPMS don't sit in isolation: they draw on your Record of Processing Activities for context, reference the Asset Register for the systems involved, use Risk Settings for scoring thresholds, and feed into the Workflow engine for structured review and approval.

How to open it

In the left-hand sidebar, go to the Privacy section and click Impact Assessments.

You need at least read permission for Impact Assessments to see the list. Users with full read access see all DPIAs; users with owner-level read access see only the records assigned to them. If you land on a "403 Forbidden" page, contact your DPMS administrator to request the appropriate access.

What you see

The screen has two main areas: the index list (the starting point) and the detail view (where all the real work happens).

On the index, you see a table of all your DPIA records. Above the table there is a row of status filter tabs — All, Active, Draft, Inactive, and Review — so you can instantly narrow the list to whatever lifecycle stage matters right now. A search bar lets you find a specific DPIA by name, and column-level filter controls let you narrow by classification, risk score, or organisational unit. In the top-right corner, a Create button lets you start a new DPIA, and export buttons (XLSX and JSON) let you pull the current filtered list into a file.

When you open a DPIA record, the layout splits into a collapsible left-hand navigation tree and a main content area. The navigation tree lists every section of the DPIA — General, Consultation, Balancing of Interests, Tasks, Assessments, Assets, Risk (with its own sub-menu), and Workflows. A sticky header runs across the top of the content area and stays visible no matter how far you scroll; it shows the responsible person, the status, the priority, and the key action buttons.

Working with this screen

Starting a new DPIA

When your organisation identifies a processing activity that requires a formal assessment — for example, a new AI-powered recruitment tool, a large-scale health data programme, or systematic monitoring of employees — this is where you begin.

On the index page, click Create in the top-right corner. A small menu expands; select Create Impact Assessment. You land on the General creation form.

Fill in the Name — this is the only required field, so be descriptive (for example, "AI-powered candidate screening — recruitment"). Choose the Organisational Unit responsible for the processing, and optionally select one or more Classification tags to make the DPIA easier to filter later. The most important optional field here is Linked RoPA: use the searchable dropdown to connect this DPIA to the corresponding Record of Processing Activities entry. Doing so creates a traceable link between your processing register and your formal assessment — something auditors will look for. Leave the Status as "Draft" for now.

In the two long-text fields — Identify Need for DPIA and Description of Processing — write the narrative explaining why this processing triggers Article 35 and what the processing actually involves. If your organisation has AI credentials configured, you can use the AI button in the sticky header to generate draft text and then refine it.

Click Save. DPMS redirects you to the new DPIA's detail view, General tab. From here you can continue building out every other section.

Reviewing and progressing an existing DPIA

Before an audit or a scheduled review cycle, a compliance officer typically needs to work through a set of DPIAs, check the content, and advance them to "Active" status.

Start on the index page and click the Review tab to filter to DPIAs that are currently in a formal review state. Click a row to open the detail view.

Work through the tabs in the left-hand navigation tree. On the General tab, verify the Name, Linked RoPA, and Description of Processing. If you have edit permission and need to update the narrative text, click directly inside the "Identify Need for DPIA" or "Description of Processing" block — they activate as inline rich-text editors without requiring you to navigate to a separate edit form. On the Balancing of Interests tab, check that the legitimate interest balancing narrative is complete if the processing relies on that legal basis.

Next, review the risk picture. Click Risk in the left-hand tree and work through the standard-specific sub-tabs that appear. The Risk Scenarios sub-tab lists the threat pathways that have been identified; the Implemented TOMs sub-tab shows which technical and organisational measures have been applied; the Current Risk sub-tab shows the residual risk score after those controls are in place.

If the residual risk is acceptable and the workflow has been completed, go to the sticky header and change the Status dropdown from "Review" to "Active". DPMS saves the change immediately. The DPIA is now formally active and will appear as approved evidence in audit exports.

Heads up: Changing the status dropdown is a direct record update — it does not automatically complete or trigger a workflow. Always finish the formal review cycle in the Workflows tab before marking a DPIA as Active.

Working with risk scenarios and TOMs

Risk managers typically pick up a DPIA after the DPO has created the basic record and need to assess the risk in detail.

Open the DPIA detail view and click Risk in the left-hand navigation tree. If the sub-menu shows no expandable entries, it means no risk standards have yet been linked to this DPIA — go to the edit view, add a standard on the Standards section, and then return.

Once a standard is linked, click its name in the sub-menu to expand the sub-tabs. Start with Risk Scenarios: here you can link existing scenarios from the Risk Scenario register or create new ones. Each scenario captures a specific threat (for example, "Data Breach via Third-Party Processor") with a likelihood rating and a severity rating. The combination gives a risk score against the threshold configured in Risk Settings.

Move to Implemented TOMs to record which controls are already in place. You can link existing TOMs from the TOM register (such as a Data Processor Agreement or encryption-at-rest policy) or use the Implement All Relevant TOMs action to bulk-apply controls in one step — this option is only available when no background risk recalculation job is running. After linking TOMs, switch to Current Risk to see the updated residual risk score. If it has dropped below the acceptance threshold, you are done with this standard. If not, move to Treatment Options to choose a treatment strategy (Mitigate, Accept, Transfer, or Avoid) and then document the details in the Treatment Plan sub-tab.

Running a formal review and approval workflow

When a DPIA is ready for formal sign-off — for example, before going live with a new processing activity — you kick off a workflow to assign reviewers, collect approvals, and create a documented audit trail.

Open the DPIA detail view and click Workflows in the left-hand navigation tree. The Overview sub-tab shows all workflow instances attached to this DPIA. To start a new cycle, go to the edit view (click Edit in the sticky header) and use the workflow trigger section to select a workflow template and launch the review. You need the workflow assignment permission to do this.

Once the workflow is running, reviewers receive notification emails with a direct link to the DPIA's Required Action sub-tab, where they see only the steps that need their input — for example, a button to approve or reject the DPIA at that stage.

As the DPO or compliance officer overseeing the process, you can monitor progress from the Workflows tab: the table shows each workflow instance, its current status, the assigned reviewers, and the last updated date.

Tracing changes with the Activity Log

Auditors and DPOs often need to prove not just what a DPIA contains now, but what changed and when. Every DPIA has a full audit trail built in.

Open the DPIA detail view and click the clock icon (Activity Log) in the top-right area of the content area — it sits just to the right of the breadcrumb row. A drawer slides in from the right, showing a timestamped list of every change made to this record: field-level edits, status transitions, responsible person changes, and the name of the user who made each change. You can screenshot or copy the relevant entries for your audit report. Click the X or click outside the drawer to close it.

Tip: The Activity Log button is hidden for DPIAs that have been shared with or received from another organisation in Consulted mode. If you cannot find it, check whether the DPIA is a shared record.

Field reference

Name — The descriptive title of the DPIA. Required. Supports multiple languages; DPMS can auto-translate if AI is configured.

Organisational Unit — The business unit responsible for the processing activity. Optional but recommended for filtering and reporting. You can create a new unit on the fly from the dropdown.

Classification — One or more tags that categorise the DPIA (for example, "AI Processing", "Health Data"). Optional; tags are managed in Compliance Settings.

Linked RoPA — One or more Records of Processing Activities that describe the processing being assessed. Optional in the form but strongly recommended: without it, there is no traceable link between your processing register and your DPIA in audit exports.

Identify Need for DPIA — A narrative text field explaining why this processing meets the Article 35 threshold for a formal assessment. Optional at the form level, but essential for a legally complete DPIA. Supports rich text and AI-assisted drafting.

Description of Processing — A narrative text field describing what the processing actually involves: data categories, data subjects, purposes, recipients, and transfers. Supports rich text and AI-assisted drafting.

Responsible Person(s) — The DPMS users responsible for this DPIA. Managed from the sticky header. Optional; multiple people can be assigned.

Status — The lifecycle stage: Draft, Active, Inactive, Review, or any custom status configured in Compliance Settings. Defaults to Draft (or the first configured custom status) when creating a new record.

Priority — The urgency level for this DPIA. Managed from the sticky header. Optional; only shown if priorities are enabled in your configuration.

How this connects to the rest of DPMS

DPIAs sit at the crossroads of several DPMS modules. The Linked RoPA field connects each DPIA to the processing register, so a click from either side takes you to the matching record. The Assets tab links to the Asset Register, documenting which systems are in scope. The Risk sub-tabs connect to the Risk Settings module — the thresholds, likelihood scales, and severity scales used to score scenarios all come from there. The Workflows tab depends on workflow templates being configured in the Workflow Settings module; without templates, no review cycle can be started.

Once a DPIA is marked Active, it becomes available as evidence in audit reports and in the compliance dashboard. Risk scores from DPIAs feed into the organisation's overall risk posture view. If you link a DPIA to a RoPA record, that RoPA's detail view will show the linked DPIA in its own "Linked DPIAs" section. After completing a DPIA, the logical next steps are: ensure the Treatment Plan is documented and assigned to owners, link or create any relevant Tasks to track remediation, and confirm the Consultation Process records are complete if a DPA or stakeholder consultation was required.

Tips & common pitfalls

Heads up: Manually changing the Status dropdown to "Active" bypasses the workflow. Always complete the formal approval cycle in the Workflows tab first — then update the status.
Tip: Always link at least one RoPA record before setting a DPIA to Active. The Name field is required, but the Linked RoPA is optional — however, auditors will expect to see the connection between your processing register and your formal assessment.
  • Empty Risk tab? If the Risk section shows no sub-menus, no risk standard has been attached to this DPIA yet. Go to the edit view, add a standard, and then return to the Risk tab.
  • Implemented TOMs or Edit button greyed out? A background risk recalculation job may be running. Wait a few minutes and refresh the page — controls re-enable automatically once the job completes.
  • The ‹ › navigation arrows use the filter you had when you opened the record. If you arrived from a "Draft" filtered list, the arrows step through Draft records only. If someone else changes the filter in another tab, the order may shift unexpectedly.
  • Custom statuses need to be set up first. If the Status dropdown only shows Draft, Active, Inactive, and Review, it means no custom statuses have been configured yet. Go to Compliance Settings → Statuses and add them there.
  • Import option requires a specific permission. The Import option in the Create menu is only visible to users who have the import permission for DPIAs. If a colleague cannot see it, ask an administrator to check their role.


Was this article helpful?

English
Powered by Product Fruits