GDPR data protection impact assessment (PIA) and purpose definition

The KPMG privacy video series is designed to help your organization think through the priorities of GDPR and align your privacy compliance efforts without disrupting business.



View all episodes of the "KPMG Privacy" video series.




  • Welcome to KPMG’s privacy video series.
  • This video is the first of three focused on how to sustain GDPR efforts.
  • This is essential to building a living, breathing program rather than leading a one-time project.
  • We will focus on how to address one of the most complex GDPR legal obligations; which is the Data Protection Impact Assessment or DPIA.


  • GDPR requires a DPIA prior to planned changes likely to result in a “high risk” to individual privacy rights.
  • GDPR lacks a full definition of “high risk,” therefore your organization must define its unique risk appetite and to scope DPIAs accordingly.
  • Our clients often struggle with how to capture and evaluate changes requiring a DPIA.
  • We recommend that all significant processing and technology changes are reviewed for DPIA triggers as part of change management.
  • Change management should reference the Purpose definition, thereby creating a purpose definition inventory.
  • This purpose definition inventory should be the basis for evaluating which changes are significant and impact individual privacy rights.
  • Refer to the article working party guidance on DPIA risks and triggers for more information.


  • This practical approach will help your organization prepare a DPIA that minimizes disruption to your business
  • Thank you for your time and attention.
  • Thanks for watching


Steven Stein

Steven Stein

Principal, Cyber Security, KPMG US

+1 312-665-3181
View more

Strategy and governance

Cyber security: it’s a business issue, not just an information technology issue.

Get the latest updates from KPMG Cyber Security Services.


Explore KPMG Cyber Security careers