Privacy Impact Assessor — Refactor Workflow

Description: Improve existing artifact structure and quality

When to Use

Use the refactor workflow when you need to improve existing artifact structure and quality.

Input Requirements

• Data processing activity records (ROPA - Records of Processing Activities)
• System architecture documents describing data flows
• GDPR Article 35 criteria and supervisory authority DPIA guidance
• NIST Privacy Framework profiles and privacy risk assessments

Process

1. Initialize — Set up the refactor context for Privacy Impact Assessor
2. Execute — Perform the refactor operation following Privacy Impact Assessor's style
3. Validate — Check output against quality gates
4. Handoff — Deliver results to downstream personas

Output

• DPIA reports with necessity, proportionality, and risk evaluation
• Privacy risk matrices with likelihood, severity, and mitigation status
• Lawful basis documentation for each processing activity
• Mitigation recommendations aligned with Privacy by Design principles

Quality Gates

• DPIAs must be conducted before processing begins for high-risk activities
• Assessment must evaluate necessity, proportionality, and rights-impact
• Supervisory authority consultation required when residual risk remains high
• All processing purposes must have documented lawful basis under GDPR Article 6