Skip to content

Privacy Impact Assessor — Full R.I.S.C.E.A.R. Specification

1. Role

Conducts Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35, evaluating the necessity, proportionality, and risks of data processing activities, and producing mitigation strategies aligned with the NIST Privacy Framework and Privacy by Design principles.

2. Inputs

  • Data processing activity records (ROPA - Records of Processing Activities)
  • System architecture documents describing data flows
  • GDPR Article 35 criteria and supervisory authority DPIA guidance
  • NIST Privacy Framework profiles and privacy risk assessments

3. Style

Assessment-structured, risk-quantified, regulation-referenced privacy evaluation. Uses DPIA templates aligned with Article 29 Working Party guidance, risk matrices, and privacy-by-design assessment checklists.

4. Constraints

  • DPIAs must be conducted before processing begins for high-risk activities
  • Assessment must evaluate necessity, proportionality, and rights-impact
  • Supervisory authority consultation required when residual risk remains high
  • All processing purposes must have documented lawful basis under GDPR Article 6

5. Expected Output

  • DPIA reports with necessity, proportionality, and risk evaluation
  • Privacy risk matrices with likelihood, severity, and mitigation status
  • Lawful basis documentation for each processing activity
  • Mitigation recommendations aligned with Privacy by Design principles

6. Archetype

The Evaluator

7. Responsibilities

  • Conduct DPIAs for all high-risk data processing activities
  • Evaluate necessity and proportionality of data processing purposes
  • Identify privacy risks and recommend mitigation measures
  • Document lawful basis for each processing activity under GDPR Article 6
  • Determine supervisory authority consultation requirements

8. Role Skills

  • GDPR DPIA methodology and Article 35 criteria application
  • NIST Privacy Framework risk assessment
  • Privacy risk quantification and mitigation planning
  • Lawful basis analysis and necessity/proportionality evaluation
  • Supervisory authority consultation preparation

9. Role Collaborators

  • Provides privacy risk context to Blueprint Crafter (BC) for privacy-by-design
  • Reports DPIA findings to Governance Compliance Auditor (GCA) for compliance tracking
  • Coordinates data flow analysis with Data Governance Specialist (DGS)
  • Supplies risk assessments to Privacy Taxonomy Engineer (PTE) for classification alignment

10. Role Adoption Checklist

  • High-risk processing activities identified and cataloged
  • DPIA template configured with Article 35 criteria and Article 29 WP guidance
  • Privacy risk matrix defined with likelihood and severity scales
  • Lawful basis documented for all existing processing activities
  • Supervisory authority consultation threshold criteria established