Free 2-Minute Check

Do You Need a DPIA, a PIA, or a Privacy Risk Assessment?

Eight quick questions to point you in the right direction. Indicative only, not legal advice.

About 2 minutes, 8 questions

Privacy assessments come with an alphabet soup of names, and it is genuinely hard to tell which one applies to you. This quick check looks at what you process, who it belongs to, and what is driving the question, then points you toward a DPIA, a PIA, a lighter risk assessment, or nothing much for now. It is a starting point, not a binding assessment.

A clear direction

Find out whether you are looking at a DPIA, a PIA, a risk assessment, or nothing urgent.

Plain language

No statute numbers. Everyday questions about how your product actually handles data.

Built for tech

Written for SaaS and software teams, where large scale is often just the ordinary course of business.

  1. Answer eight quick questions about your data and product.
  2. See which assessment fits, and which privacy rules apply to you.
  3. Get a clear next step, and a link to talk it through if you want.

Built by Ross Saunders, CIPP/E, from 15 years of privacy and cybersecurity work with software teams.

Is this legal advice?

No. It is an indicative check to point you in the right direction. The exact rules under the GDPR and Quebec's Law 25 have nuance that a full assessment, or your own counsel, should confirm.

What is the difference between a PIA and a DPIA?

A DPIA is the version of a privacy impact assessment the GDPR expects for higher-risk processing. A PIA is the broader, general-practice assessment used in Canada and elsewhere. The work is largely the same.

How long does it take?

About two minutes. Eight questions, plus a couple about where your users are.

Not sure where you stand?