Do You Need a DPIA, a PIA, or a Privacy Risk Assessment?
Eight quick questions to point you in the right direction. Indicative only, not legal advice.
About 2 minutes, 8 questions
Eight quick questions to point you in the right direction. Indicative only, not legal advice.
About 2 minutes, 8 questions
Privacy assessments come with an alphabet soup of names, and it is genuinely hard to tell which one applies to you. This quick check looks at what you process, who it belongs to, and what is driving the question, then points you toward a DPIA, a PIA, a lighter risk assessment, or nothing much for now. It is a starting point, not a binding assessment.
Find out whether you are looking at a DPIA, a PIA, a risk assessment, or nothing urgent.
No statute numbers. Everyday questions about how your product actually handles data.
Written for SaaS and software teams, where large scale is often just the ordinary course of business.
Built by Ross Saunders, CIPP/E, from 15 years of privacy and cybersecurity work with software teams.
No. It is an indicative check to point you in the right direction. The exact rules under the GDPR and Quebec's Law 25 have nuance that a full assessment, or your own counsel, should confirm.
A DPIA is the version of a privacy impact assessment the GDPR expects for higher-risk processing. A PIA is the broader, general-practice assessment used in Canada and elsewhere. The work is largely the same.
About two minutes. Eight questions, plus a couple about where your users are.