Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Browse impact assessmentsCreate a DPIAEdit a DPIADPIA detail page
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

DPIA detail page

Inspect risks, current and target risk levels, classification and approvals of a DPIA.

The DPIA detail page is the central workspace for a single Data Protection Impact Assessment. It brings together everything that belongs to one DPIA — the narrative description of the processing, the linked Records of Processing (ROPA), the risk evaluation, the treatment plan, the consultations with stakeholders, the approvals, and the workflows — so that you have one auditable record per assessment. Data Protection Officers, privacy specialists, risk managers and project owners typically spend their time here whenever a processing activity has been flagged as "likely to result in a high risk" under GDPR Article 35 (or the equivalent rule in your jurisdiction).

Think of this screen as the home base of one DPIA. From here you can read and edit every attribute, work through the risk analysis tab by tab, attach evidence, trigger review workflows, and ultimately get the assessment approved and ready for the regulator.

How to open it

  • From the left-hand sidebar, open Data Protection Impact Assessment (DPIA) — this opens the DPIA index list.
  • Click any row in the table to drill into that DPIA's detail page.

You can also reach this page automatically right after creating a new DPIA, or by clicking a linked DPIA from a ROPA detail page or from the Required Actions / Workflow inbox.

To view this page you need DPIA read permission. Users who only have read-on-assigned permission will see the page in read-only mode (the edit pencils, AI button, status pill and most action buttons are disabled with a tooltip explaining why). If you have no DPIA permission at all, the menu item is hidden in the sidebar.

Screenshot

What you see

The page is split into three parts. At the very top sits a thin breadcrumb strip showing where you are: a back arrow to the DPIA list, the module name, then the DPIA's name, then the active tab. Two small chevron arrows ( ) next to the name jump you to the previous or next DPIA in the list you came from — handy when reviewing several DPIAs in a row.

Below that, the screen splits into two columns. The left column is a vertical menu of tabs: General, Consultation, Balancing of Interests, Tasks, Assessments, Assets, Risk Evaluation and Manual Workflows. The last two are expandable — clicking them reveals sub-tabs for the threshold, scenarios, treatment plan and so on. A small status dot in front of each tab tells you at a glance whether that section already has content saved.

The right column is the working area. At its top sits a sticky action header that follows you wherever you scroll: it shows the DPIA name in large type, a coloured Status pill, a Responsible Persons selector with the avatars of the assigned people, the Updated, Last review and Reviewers timestamps, an AI helper button, and a three-dot menu for everything else (sharing, change requests, copy, export, delete). Below the header, the actual content of the selected tab renders inside a card. On the General tab this is a clean label-and-value layout; on the linked-element tabs it's a paginated table with Add, search and column filters.

When you switch into one of the Risk Evaluation sub-tabs, an extra contextual bar appears showing the current risk standard (for example ISO 27005 or GDPR 2018) so that every risk number on screen always stays anchored to the right framework.

Working with this screen

Reviewing a DPIA before going live

This is the most common scenario for DPOs and privacy specialists.

  • Open the DPIA from the index list. The General tab is shown by default.
  • Read through the key attributes: Name, Organizational Unit, Linked ROPA, Identify the need for a DPIA, and Description of processing. Click any linked ROPA name to jump to the processing activity and confirm the description matches reality. Use the small pencil icon next to a field to make a quick correction without opening the full edit form. Each pencil saves immediately.
  • Move to Balancing of Interests to read the legitimate-interest argument the team has documented.
  • Open Risk Evaluation in the left menu. Visit Standard to confirm the right framework is selected, then Threshold and finally Current Risk to make sure every scenario sits below the threshold.
  • Once you are satisfied, click the coloured Status pill in the action header and change the status from Draft to Active. The change is immediate.
Heads up: changing the status pill is an ad-hoc action. If your governance requires a formal review before activation, trigger a workflow from Manual Workflows instead of just flipping the pill.

Adding and managing linked items (Tasks, Assessments, Assets, Consultations)

All four linked-element tabs (Tasks, Assessments, Assets, Consultation) work the same way.

  • Click the relevant tab in the left menu. You'll see a table of items already linked to this DPIA.
  • Click Add at the top right of the card. A linker dialog opens so you can either pick existing items or create a new one (for example a new task with deadline and responsible person, or a new consultation process to record stakeholder feedback). When you save, the item is automatically linked to this DPIA and appears in the table.
  • Click any row to open the linked item's detail page in its own context — when you come back, the DPIA stays as your "parent" record.
  • To unlink or delete items in bulk, tick the checkboxes at the start of each row and use the action buttons that appear above the table.

Note that the Consultation tab is read-only on this detail page by design — to edit a consultation, click into it and use its own edit form.

Building the risk evaluation and treatment plan

Risk managers and information-security leads do most of their work on the Risk Evaluation sub-tabs. Click Risk Evaluation in the left menu to expand it.

  • Open Standard and pick the risk framework(s) that apply to this DPIA — for example GDPR 2018 for privacy, ISO 27005 for security. Standards are what drive every risk calculation that follows.
  • Open Threshold and define the maximum risk score your organisation accepts without further mitigation. Use the Edit button on the card to change values.
  • Open Scenarios and link the relevant risk scenarios from your scenario library using the Add button.
  • Open Implemented TOMs (Technical and Organizational Measures) to record which safeguards are already in place. There's a one-click option to mark all relevant TOMs as implemented, which saves a lot of time on routine assessments.
  • Open Current Risk to see, scenario by scenario, the resulting likelihood × damage and risk level. A Set current risk button lets you adjust each scenario individually.
  • For each scenario above the threshold, open Treatment Options and choose whether you will accept, mitigate, transfer or avoid the risk.
  • Open Treatment Plan, click Edit treatment plan, add the suggested TOMs and assign deadlines. When the plan is ready, publish it — this freezes a finalized version that is then visible under View treatment plan.
  • As the treatment items are worked on, use Treatment Status to track each one as open, in progress, done or blocked.
Tip: the risk sub-tabs only become meaningful once you've selected at least one standard. If Threshold, Scenarios and Current Risk look empty, start with Standard.

Triggering a review or approval workflow

For formal sign-off, use the Manual Workflows tab.

  • Click Manual Workflows in the left menu. Two sub-tabs appear: Required Action (what you personally need to do right now) and Overview (every workflow that has run, is running or is scheduled).
  • Use the workflow templates exposed under the menu — for example Annual DPIA Review — to launch a new workflow. Reviewers receive their tasks; the workflow appears with status In progress under Overview.
  • When the workflow completes, the Last review and Reviewers fields in the action header update automatically. This is the audit-grade trail regulators expect.

Assigning responsibility and changing status

The action header on the right column is also where you manage the lifecycle.

  • Click the Status pill to switch between Draft, Active, Inactive, Review or any custom status configured for your company. The change saves immediately.
  • Click the Responsible Persons dropdown to add or remove people. Multiple persons can be assigned at once — useful for handovers or co-ownership.

Both actions require edit permission. Without it, the controls are visible but disabled, and a tooltip explains why.

Using the AI helper

The small AI button next to the status pill can generate or improve the long narrative fields (Identify the need for a DPIA, Description of processing) by drawing on the linked ROPA. It's particularly useful for accelerating the first draft of a new DPIA.

The button is hidden or disabled if AI is not configured for your tenant or another AI job is already running on the same DPIA.

Sharing, requesting changes, exporting

All other actions live in the three-dot menu on the far right of the action header:

  • Edit opens the full edit form, where every attribute is editable on one screen.
  • Sharing (only visible if you have publish permission) lets you share this DPIA with other organizations in a group hierarchy.
  • Request Change opens the change-request flow — useful when you need to adjust a DPIA you don't own.
  • Copy, Export and Delete perform the obvious lifecycle actions.

Field reference

The General tab contains the structured attributes auditors expect to find:

  • Name — the DPIA's display name. Multilingual; the language you see depends on your interface setting.
  • Organizational Unit — the org unit responsible for this assessment. Drives notifications and reporting.
  • Linked ROPA — the processing activities this DPIA evaluates. A DPIA without a linked ROPA is normally a draft; in production, every DPIA should point to at least one record.
  • Identify the need for a DPIA — the narrative justification for triggering a DPIA in the first place. Required by Article 35 of the GDPR. Rich text.
  • Description of processing — the full description of the processing activity, including categories of data, data subjects, recipients and retention. Rich text. This is what supervisory authorities will read first.
  • Balancing of Interests (separate tab) — the documented argument that the legitimate interests of the controller are not overridden by the rights and freedoms of data subjects (GDPR Art. 6(1)(f)).

How this connects to the rest of DPMS

The DPIA detail page is one of the most highly connected screens in DPMS. From here you reach out to almost every other module:

  • The DPIA index (/dpia) lists every DPIA and links into this page.
  • The ROPA detail page links to every DPIA related to a processing activity, and vice versa.
  • Tasks, Assessments, Assets, Consultation processes and Risk Scenarios all open in their own detail pages but remember this DPIA as the parent for back-navigation.
  • The View treatment plan sub-tab links to the immutable, finalized plan, which can be opened in its own reading view.
  • The Required Actions dashboard and the Workflow inbox point reviewers and approvers directly to the relevant tab here.

Several cross-cutting features depend on what you configure here:

  • The status and responsible persons drive the global notification system (deadline reminders, review reminders).
  • The risk evaluation values feed the company-wide privacy and security risk dashboards.
  • Treatment-plan items appear in global task and treatment-status reports.
  • Linked assessments and scenarios become traceable evidence for audits.

After finishing on this screen, common next steps are: trigger a review workflow under Manual Workflows; visit the linked ROPA(s) to make sure they reflect the conclusions of the DPIA; or open the global Tasks dashboard to see how the treatment-plan items are progressing.

Tips & common pitfalls

Tip: the previous/next chevrons next to the DPIA name follow the current filter on the index list — not the entire database. If you applied a search on the index, navigation here is scoped to that filtered set.
Heads up: the Consultation tab is read-only on this detail page. To edit a consultation, open it via its row and use its own edit form. First-time users often look for an edit pencil here that doesn't exist.
  • The risk sub-tabs only make sense once a current standard is configured. If Threshold, Scenarios and Current Risk look empty, start with Risk Evaluation → Standard.
  • DPIAs that are child objects (shared down from a parent organization) have several tabs locked. Their labels are greyed out, and edits must be made on the parent organization's record.
  • The Status pill change is immediate and does not go through a workflow. If your governance requires formal review, use Manual Workflows to launch the appropriate template instead.
  • Inline edit pencils require edit permission. If you only have read-on-assigned access, you'll see plain text instead of pencils — that's by design.
  • The AI helper consumes the AI credentials and quotas configured elsewhere in DPMS. If the AI button is disabled or hidden, check your tenant's AI settings or your personal AI permission.


Was this article helpful?

English
Powered by Product Fruits