When should a privacy impact assessment be conducted?

Evaluating privacy risks before making changes is essential. A privacy impact assessment looks at how new processes or tools will affect personal data, helps you spot potential risks to individuals’ rights, and guides you to put safeguards in place from the start. Conducting it before implementation lets you design with privacy in mind—minimizing data collection, choosing secure processing methods, and building in controls like access limits and data retention plans. It also supports regulatory expectations (for example, many frameworks require DPIAs or equivalent when a new project could pose high privacy risks) and helps avoid costly changes after something is already built.

Waiting until after deployment misses the chance to address the risks in the design phase, when changes are easier and less disruptive. It’s not limited to situations with a data breach, and it’s not solely about international data—the risk assessment should occur for new processing that could impact privacy, regardless of where the data travels.