The Impact Assessments module in Secure Privacy's Governance Solution provides a structured workflow for completing Data Protection Impact Assessments (DPIAs) as required under GDPR Article 35. It guides your team through risk identification, mitigation documentation, and multi-step approval — producing audit-ready DPIA records for regulators, auditors, and internal stakeholders.
Who Is This For?
Data Protection Officers responsible for conducting and signing off on impact assessments under GDPR Article 35
Compliance teams ensuring DPIA requirements are identified and fulfilled before high-risk processing begins
Project managers launching new products, services, or systems that involve personal data processing
GDPR DPIA Requirements: When Is a DPIA Required?
Under GDPR Article 35, a DPIA is mandatory when processing is likely to result in a high risk to individuals' rights and freedoms. This includes processing that involves:
Systematic and extensive profiling with significant effects on individuals
Large-scale processing of special category data or criminal offense data
Systematic monitoring of publicly accessible areas on a large scale
Use of new technologies that may introduce unforeseen privacy risks
Automated decision-making — including profiling — that produces legal or similarly significant effects on individuals
Creating a New DPIA Assessment
Step 1: Navigate to Impact Assessments
From the left sidebar in the Governance Solution, go to Compliance > Impact Assessments and click + New Assessment.
Step 2: Select the assessment type
Choose the type of assessment — DPIA or another privacy assessment type supported by the platform — based on the nature of the processing activity being reviewed.
Step 3: Complete the DPIA assessment form
The structured form guides you through all required GDPR Article 35(7) fields:
Field |
Description |
|---|---|
Assessment Name |
A descriptive title identifying the processing activity or project being assessed |
Risk Level |
Automatically calculated based on your answers — Low, Medium, or High |
Status |
Current stage of the assessment — Draft, Pending Approval, Approved, or Rejected |
Data Categories |
Types of personal data involved in the processing activity (e.g., Personal Data, Location Data, Special Category Data) |
Last Review |
Date of the most recent review — used to track when the DPIA is due for reassessment |
Step 4: Risk identification and mitigation
The platform automatically identifies potential risk areas based on the data categories and processing activities you describe. Review each flagged risk, document your mitigation measures, and record the controls being implemented — satisfying the mitigation documentation requirements of GDPR Article 35(7)(d).
Step 5: Submit for approval
Once complete, submit the assessment for approval. If a Workflow is configured for impact assessments, the DPIA will automatically route through the required approval chain — ensuring the DPO and any other required approvers review and sign off before processing begins.
Managing DPIA Records
Searching and filtering
Use the search bar and Filters to find assessments by name, type, risk level, status, or data categories — keeping your impact assessment register navigable as it grows.
Exporting assessments
Click Export to download assessment records in a format suitable for submission to supervisory authorities, sharing with auditors, or inclusion in internal compliance documentation.
Version history
All assessment changes are tracked with versioned records. View the full history of any DPIA to see how it has evolved — providing a complete audit trail of the assessment process from initial draft to final approval.
DPIA Best Practices
Conduct DPIAs before high-risk processing begins
GDPR Article 35 requires DPIAs to be completed before the processing activity starts — not retrospectively. Use the pre-screening trigger in the module to identify when a new project or system requires a DPIA as early as the planning stage.
Involve stakeholders early
Bring in IT, legal, and the DPO from the outset — not just at the approval stage. Early involvement ensures the DPIA reflects technical realities and that mitigation measures are feasible before design decisions are finalized.
Document all mitigation measures and track implementation
Every identified risk must be accompanied by documented mitigation measures. Link DPIA mitigation actions to the Risk Management module to ensure they are tracked to completion — not just recorded and forgotten.
Schedule regular DPIA reviews
DPIAs must be revisited when the associated processing activity changes. Schedule periodic reviews in the Compliance Calendar — particularly for long-running processing activities where technology, data categories, or risk profiles may evolve over time.
Use workflow automation for consistent approval processes
Configure the Workflow & Automation module with the Impact Assessment Approval template to enforce a consistent, documented review and sign-off process for every DPIA — eliminating ad hoc approval practices and ensuring audit trail completeness.
Next Steps
Link DPIA results to the Risk Management module for ongoing risk monitoring and mitigation tracking
Set up the Impact Assessment Approval workflow in Workflow & Automation to enforce structured DPIA review chains
Schedule periodic DPIA reviews in the Compliance Calendar to ensure assessments remain current as processing activities evolve
Frequently Asked Questions
Does the Impact Assessments module satisfy GDPR Article 35(7) documentation requirements?
Yes. The structured assessment form captures all fields required under GDPR Article 35(7) — including a systematic description of the processing, a necessity and proportionality assessment, risk identification, and mitigation measures. Completed assessments can be exported in audit-ready format for supervisory authority submission or regulatory review.
What happens if a DPIA identifies a high residual risk that cannot be mitigated?
If residual risk remains high after mitigation measures are applied, GDPR Article 36 requires prior consultation with the supervisory authority before processing begins. Your DPO should be notified immediately — and if you are using Secure Privacy's DPO as a Service, your assigned DPO will advise on whether prior consultation is required and manage the process.
Can DPIAs created in the module be linked to specific processing activities in the Process Register?
Yes. Impact assessments can be linked to related process records in the Process Register module, creating end-to-end traceability from the processing activity documented in your ROPA through to its associated DPIA — supporting comprehensive GDPR accountability documentation.