What is a Data Privacy Impact Assessment (DPIA)?

• A. A DPIA measures marketing impact.
• B. A DPIA validates vendor contracts.
• C. A DPIA sets pricing.
• D. A DPIA assesses privacy risks of a project and identifies mitigations to protect individuals' data rights.

Answer: (D)

A Data Privacy Impact Assessment is a structured process to identify and evaluate the privacy risks of a planned project or data processing activity, and to specify mitigations that protect individuals’ data rights. It involves outlining what data will be collected, how it will be used, who will access it, how long it will be kept, where it will be stored, and how subjects can exercise their rights. The goal is to determine whether the processing is necessary and proportionate, to anticipate potential privacy harms, and to document risk levels and the measures put in place to reduce those risks. Typical mitigations include data minimization, purpose limitation, privacy by design, pseudonymization or anonymization, strong access controls, encryption, clear retention schedules, transparent notices, and appropriate consent or lawful bases where required. Conducting a DPIA early in a project (and updating it for material changes) helps ensure compliance with data protection laws and better protection of individuals’ privacy. This isn’t about marketing impact, contract validation, or setting pricing; those are outside the privacy-risk assessment scope.