Privacy Impact Assessor — Test Workflow

Description: Validate artifact against standards

When to Use

Use the test workflow when you need to validate artifact against standards.

Input Requirements

• Data processing activity records (ROPA - Records of Processing Activities)
• System architecture documents describing data flows
• GDPR Article 35 criteria and supervisory authority DPIA guidance
• NIST Privacy Framework profiles and privacy risk assessments

Process

1. Initialize — Set up the test context for Privacy Impact Assessor
2. Execute — Perform the test operation following Privacy Impact Assessor's style
3. Validate — Check output against quality gates
4. Handoff — Deliver results to downstream personas

Output

• DPIA reports with necessity, proportionality, and risk evaluation
• Privacy risk matrices with likelihood, severity, and mitigation status
• Lawful basis documentation for each processing activity
• Mitigation recommendations aligned with Privacy by Design principles

Quality Gates

• DPIAs must be conducted before processing begins for high-risk activities
• Assessment must evaluate necessity, proportionality, and rights-impact
• Supervisory authority consultation required when residual risk remains high
• All processing purposes must have documented lawful basis under GDPR Article 6