Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

Since the entry into force of the GDPR (General Data Protection Regulation) in May 2018, organizations—both public and private—have been required to strengthen their Accountability terms of personal data protection. One of the most powerful tools for assessing and controlling the risks associated with the processing of sensitive data is the PIA, or Privacy Impact Assessment ( PIA).

Although still little known or poorly used, the GDPR PIA is nevertheless mandatory in certain cases and strongly recommended as part of a comprehensive compliance approach. It enables the identification of risks to the rights and freedoms of data subjects and demonstrates the implementation of appropriate security measures.

In this article, we answer all your questions about the GDPR PIA: what is it for? When should it be carried out? How can it be implemented effectively? What are the consequences if it is overlooked? Follow the guide to ensure your processing operations are compliant.

What is a GDPR PIA GDPR why is it essential for data protection?

The PIA, or Privacy Impact Assessment, is a structured analysis process designed to anticipate the potential impacts of personal data processing on the privacy of the individuals concerned. Provided forin Article 35 of GDPR, the main purpose of the PIA isto assess the risks associated with personal data processing and to ensure that adequate security measures are in place to reduce them.

It also makes it possible to demonstrate the compliance of a processing operation from its design stage and to limit legal or reputational risks.

In which cases is the PIA mandatory according to the GDPR the criteria of the CNIL (National Commission for Information Technology and Civil Liberties)

The GDPR requires a PIA (or AIPD) to be carried out whenever data processing is "likely to result in a high risk to the rights and freedoms of data subjects" (Article 35). This mainly concerns processing operations that are likely to have a significant impact on the privacy, security, or fundamental rights of individuals.

1. The processing is included in the list published by the CNIL (National Commission for Information Technology and Civil Liberties).

The CNIL (National Commission for Information Technology and Civil Liberties) established an official list of processing operations for which a PIA is considered mandatory. This list includes, for example:

  • Large-scale surveillance, biometric devices, processing of health data outside the medical context, profiling for marketing purposes, etc.

Please note: this list is indicative but not exhaustive. The absence of your processing operation from this list does not mean that a PIA is not necessary.

2. The processing fulfills at least two of the nine criteria of the G29 guidelines (e.g of CNIL (National Commission for Information Technology and Civil Liberties) .

If your project meets at least two of the following criteria, a GDPR PIA GDPR required:

  • Evaluation or scoring (e.g profiling, rating, credit scoring),
  • Automatic decision with legal or equivalent effect (e.g automatic credit denial),
  • Systematic surveillance (e.g video surveillance, GPS tracking),
  • Processing of sensitive or highly personal data (e.g health, sexual orientation),
  • Large-scale collection of personal data,
  • Cross-referencing or combining datasets,
  • Treatment concerning vulnerable persons (children, patients, elderly persons),
  • Use of innovative or experimental technologies (AI, connected objects, etc.),
  • Processing that may lead to the exclusion of a right, service, or contract.

💡 Good to know: the healthcare sector is particularly affected by these criteria. Between the processing of sensitive data, the vulnerability of the individuals concerned (patients), and the use of innovative technologies (telemedicine, connected devices, etc.), a project in the healthcare field very often meets at least two of these criteria, making a PIA almost always mandatory.

Download our guide dedicated to GDPR compliance GDPR the healthcare sector to discover best practices, specific obligations, and a GDPR PIA template GDPR to healthcare issues.

Healthcare & GDPR 9 best practices for compliance in 2025

Sensitive data, hosting providers, DPOs, consent... This practical guide helps healthcare professionals anticipate GDPR requirements.
Download

Concrete example:

A company wants to collect real-time geolocation data from several million users in order to offer them targeted advertising based on their movements.

This treatment:

  • Uses new intrusive technology (geolocation),
  • Involves large-scale collection,
  • And processes potentially sensitive data (movements, habits, places frequented).

Result: this project meets at least two criteria, and therefore a PIA is mandatory.

⚠️ When in doubt: it is better to do a pre-assessment.

If you are unsure whether you are required to conduct a PIA, the CNIL (National Commission for Information Technology and Civil Liberties) conducting a preliminary risk assessment. This will enable you to justify your decision (to do so or not) in the event of an inspection, and to adopt a responsible stance.

PIA GDPR Privacy by Design: Analysis of two concepts that should not be confused

It is common to confuse PIA with the principle of Privacy by Design, yet they are two distinct and complementary concepts.

PIA and Privacy by Design are two related concepts, but they do not mean the same thing.

  • Privacy by Design is a general principle of GDPR: it means that personal data protection must be integrated from the outset of a project or processing operation. For example, choosing not to collect certain unnecessary data from the outset, or providing privacy-friendly options during software development (such as the inclusion of certain checkboxes, for example).
  • The PIA, meanwhile, is a formal analysis process used to assess the specific risks posed by data processing and to document the measures put in place to reduce them. It is one of the concrete ways of applying Privacy by Design, particularly when processing poses high risks.

What you need to remember so as not to confuse the two concepts:

  • Privacy by Design is a rule of conduct.
  • The GDPR PIA GDPR a tool for putting this rule into practice when the risks are significant.
Team collaboration within a company on a GDPR PIA compliance project
A team working together to implement an impact assessment in accordance with the GDPR PIA.

How to conduct a GDPR PIA?

Conducting a PIA should not be a purely theoretical exercise. It is a structured method that allows you to understand the concrete risks of a processing operation and demonstrate its compliance with GDPR.

Here are the four essential steps to follow to conduct an effective PIA, particularly in sensitive areas such as healthcare, but applicable to any type of project.

1. Describe the proposed treatment in detail.

First and foremost, the foundations of treatment must be laid:

  • Who is controller
  • What are the purposes?
  • What data is collected?
  • Who is affected?
  • Who are the stakeholders involved (internal or external)?
  • What are the data flows (transfers, access, storage)?

The goal here is to make the treatment clear and understandable so that risks can be assessed with full knowledge of the facts.

2. Assess and analyze the risks for the individuals concerned

The second step is to think ahead: what could happen to people if something went wrong with the treatment?

Common risks include:

  • Loss or theft of sensitive data,
  • Unauthorized disclosure,
  • Unauthorized access,
  • Unjustified profiling or misuse of data,
  • Damage to reputation, privacy, or physical safety.

This phase aims to identify concrete risk scenarios for individuals' rights and freedoms.

3. Measure the severity and likelihood of risks

Not all risks are equal. They must therefore be assessed according to two criteria:

  • Plausibility: how likely is it that the scenario will occur?
  • The severity: what would be the consequences for those affected?

The goal is to prioritize risks in order to focus on those that are most critical.

4. Define appropriate protective measures

Final step: implement concrete measures to reduce the identified risks. These measures may include:

  • Techniques: pseudonymization, encryption, logging, access restriction, HDS hosting, etc.
  • Organizational: staff training, internal procedures, documentation, processing records, etc.

These measures will enable us to demonstrate compliance with processing requirements and ensure the secure implementation of the project.

Who must carry out a PIA and what is the role of the DPO?

The controller is responsible for ensuring that the PIA is conducted when required.

The DPO (Data Protection Officer), although not legally responsible, plays a key role in:

  • Advice on the need to carry out a PIA,
  • Methodological support,
  • Assessment of risks and proposed measures,
  • Data retention documentation.

Should the GDPR PIA be submitted GDPR the CNIL (National Commission for Information Technology and Civil Liberties)

No, as a general rule, the PIA does not need to be sent to the CNIL (National Commission for Information Technology and Civil Liberties).
However, you must keep it in your documentation so that you can present it in the event of an inspection.

Exception: if, despite the measures envisaged, the processing still presents a high residual risk, you must consult the CNIL (National Commission for Information Technology and Civil Liberties) starting the processing. This is referred to as a prior consultation request.

What are the risks and penalties for non-compliance with the PIA?

Ignoring the obligation to carry out a GDPR PIA GDPR have serious consequences. The CNIL (National Commission for Information Technology and Civil Liberties) other European supervisory authorities may impose:

  • An administrative fine of up to €10 million or 2% of global annual turnover,
  • A formal notice or suspension of processing,
  • Damage to the company's reputation.

Furthermore, in the event of a data breach, the absence of a PIA may aggravate the Accountability data controller before the courts.

Why integrate the GDPR PIA GDPR the design phase of your projects?

The GDPR PIA is much more than a regulatory requirement. It is a management tool for anticipating risks, securing data processing, and establishing a genuine culture of compliance.

Integrated from the design phase onwards (the"Privacy by Design"approach), it helpsto avoid costly mistakes and effectively protect the individuals concerned. In a context where data protection has become a matter of trust, the PIA is a strategic lever for any responsible organization.

Conclusion: the GDPR PIA, an essential step for responsible data management

In summary, conducting a GDPR PIA GDPR a structured and essential process for ensuring compliance with personal data processing requirements. It allows you to verify the necessity of the processing, assess the level of risk to the rights of the individuals concerned, and document the choices made in terms of the proportionality of the processing.

Through rigorous analysis of data collection, purposes, and the list of processing operations involved, the PIA promotes informed decision-making that complies with the principles of security and transparency. It also helps to improvethe information provided to individuals and demonstrate proactive risk management from the project design stage onwards.

Beyond the legal obligation, integrating the GDPR PIA GDPR your processes means choosing robust documentation, complete traceability, and a culture of compliance focused on protecting individual freedoms.

Samia Rahammia
Samia Rahammia

IT and Data Lawyer and Marketing Project Manager