# Data Protection Impact Assessment (DPIA/PIA) One-sentence definition: Risk assessment focused on privacy impacts of processing personal data, with mitigations and stakeholder input. ## Key Facts - Triggered by high-risk processing (profiling, large-scale, sensitive data). - Steps: describe processing, assess necessity/proportionality, evaluate risks, define controls. - Consult DPO/privacy officer; consider data subject rights. - Document outcomes and residual risks; review on changes. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Select when to require a DPIA and what it contains. **Mnemonic:** “**Describe → Decide → Defend**.” ## Mini Scenario Q: New facial recognition in stores—what to do? A: Run DPIA with strong mitigations and legal review. ## Revision Checklist - Name 3 DPIA components. - Identify triggers. - Tie to data minimization controls. ## Related [[Privacy Principles and Data Protection]] · [[Data Minimization and Purpose Limitation]] · [[Data Residency and Sovereignty]] · [[Data Handling in Third-Party Contexts]] · [[Data Catalogs and Metadata Management]] · [[Domain 2 - Index]]