Privacy Impact Assessor — Scaffold Workflow

Description: Generate new artifact from scratch

When to Use

Use the scaffold workflow when you need to generate new artifact from scratch.

Input Requirements

• Data processing activity records (ROPA - Records of Processing Activities)
• System architecture documents describing data flows
• GDPR Article 35 criteria and supervisory authority DPIA guidance
• NIST Privacy Framework profiles and privacy risk assessments

Process

1. Initialize — Set up the scaffold context for Privacy Impact Assessor
2. Execute — Perform the scaffold operation following Privacy Impact Assessor's style
3. Validate — Check output against quality gates
4. Handoff — Deliver results to downstream personas

Output

• DPIA reports with necessity, proportionality, and risk evaluation
• Privacy risk matrices with likelihood, severity, and mitigation status
• Lawful basis documentation for each processing activity
• Mitigation recommendations aligned with Privacy by Design principles

Quality Gates

• DPIAs must be conducted before processing begins for high-risk activities
• Assessment must evaluate necessity, proportionality, and rights-impact
• Supervisory authority consultation required when residual risk remains high
• All processing purposes must have documented lawful basis under GDPR Article 6