Privacy Impact Assessments

Privacy Impact Assessments (PIA & DPIA) for SaaS and Tech Companies

Know exactly what privacy risk your product is carrying, and what to do about it. An interview-led assessment that lands as a clear report, a risk register, and a roadmap your team can act on, not a checklist to file.

Not sure if you need one yet? Get an instant risk score in 15 questions →

What Is a Privacy Impact Assessment?

A Privacy Impact Assessment (PIA) is a structured review of how a product, feature, or project handles personal data, and where the privacy risks actually sit. It answers four questions in plain terms: what data you collect, how it moves through your systems, which obligations apply to you, and what to fix first. A Data Protection Impact Assessment (DPIA) is the version of this that the GDPR requires for high-risk processing.

For software and SaaS companies, it is usually the difference between finding a privacy problem during design, when it is cheap to fix, and finding it during an enterprise security review or a regulator's questions, when it is not.

PIA vs DPIA vs Privacy Risk Assessment

These terms get used interchangeably, and they overlap, but they are not identical. Here is the practical difference.

  Privacy Impact Assessment (PIA) Data Protection Impact Assessment (DPIA) Privacy Risk Assessment
What it is A structured review of privacy risk in a specific product, feature, or project. The GDPR's named, required form of a PIA for high-risk processing. A broader look at your overall privacy posture and exposure, not tied to one project.
When it applies Good practice for any new or changed product handling personal data; required by some laws. Legally required under GDPR Article 35 when processing is high risk. Any time you want to understand where you stand before something forces the question.
Where Canada (PIPEDA, Quebec Law 25) and widely as best practice. EU and UK GDPR. Anywhere; it is a practice, not a statutory term.
Best for Launching or changing a product or feature. EU or UK-facing products, or any high-risk processing. Getting a baseline before an audit, deal, or program build.
A note on "high risk": the bar is broader than most teams assume. A DPIA is required for things like profiling with significant effects, large-scale processing of sensitive data, or systematic monitoring, and regulators treat meeting two of their nine risk factors as a likely trigger. For a data-driven SaaS or tech product, "large scale" is often just the ordinary course of business, so if you profile users, track behaviour, handle sensitive data, or run AI on personal data, you are frequently already in scope. When a DPIA is not strictly required, a PIA is still the cheaper path than finding the gap during a deal or an audit.

In practice, the work is the same engagement. The label depends on which law applies to you and what triggered it, and I deliver all three.

When Do You Actually Need One?

If any of these sound like your next quarter, an assessment is worth doing before, not after.

An Interview-Led Process, Not a Spreadsheet Exercise

The detail that makes an assessment useful comes from talking to the people who build and run the product, then backing it with the evidence. Here is the path from kickoff to a roadmap you can hand to your team.

Step 1
Interviews & Evidence

Four to ten interviews, depending on the size of the organization and product, plus collecting your current policies, data schemas, and existing documentation.

Step 2
Collate

I turn that into a clear picture of what data you hold, how it flows, and which obligations actually apply to you.

Step 3
Build the Report

Findings documented against the privacy obligations relevant to your business, in plain language your team and your clients can read.

Step 4
Risk Register

Every risk logged, rated, and owned, so it lives in a system you can track rather than in a one-off document.

Step 5
Prioritized Roadmap

A sequenced plan of what to fix and in what order, built to be delivered. If you want, I stay on to help deliver it.

Typical Timeline
4 to 12 Weeks

A focused assessment of one feature sits at the short end. A full DPIA across a complex platform sits at the longer end.

Deliverables You Can Actually Use

Three Ways to Run It

Scope depends on the size of your product and how much is in play. Every engagement ends with a report, a risk register, and a roadmap.

Focused PIA
Starting at
$4,500

A single product or feature.

  • Scoped to one product or feature
  • Fewer interviews, shorter timeline
  • Report, risk register, and roadmap
  • Findings readout with your team
Book a Discovery Call →
PIA + Implementation
Custom

Assessment plus hands-on delivery.

  • Everything in Full PIA / DPIA
  • Hands-on delivery of the roadmap
  • Often the lead into ongoing advisory
  • Scoped to what you want delivered
Talk Through Scope →

Pricing depends on scope and complexity. A 15-minute discovery call is the fastest way to a firm number.

Get a Read on Your Risk for Free

Not ready for a full assessment? These free tools give you a picture in minutes, and a sensible starting point for a conversation.

Tech Privacy Risk Score

Fifteen questions, an instant score, and where your biggest exposures likely are.

Run the assessment →
SDLC Privacy Risk

For dev teams: where privacy and security risk sits across your development lifecycle.

Check your SDLC →
Privacy Cost Calculator

Put a number on what privacy debt is quietly costing your development team.

Estimate the cost →

PIA and DPIA Questions, Answered

What is a Privacy Impact Assessment (PIA)?

A structured review of how a product, feature, or project handles personal data, and where the privacy risks are. It identifies what data you collect, how it flows, which obligations apply, and what to fix, delivered as a report, a risk register, and a prioritized roadmap.

What is the difference between a PIA and a DPIA?

A DPIA is the specific form of PIA required under Article 35 of the GDPR for high-risk processing. A PIA is the broader, general-practice assessment used in Canada and elsewhere. The method is largely the same; the DPIA carries a statutory trigger and required contents under EU and UK law.

When is a DPIA legally required?

Under GDPR Article 35, a DPIA is required when processing is likely to result in a high risk to individuals: for example large-scale processing of sensitive data, systematic monitoring, or profiling with significant effects. Many companies also run one because an enterprise customer requires it.

Does Quebec's Law 25 require a privacy assessment?

Law 25 requires a privacy impact assessment for certain projects, including acquiring or developing information systems that involve personal information and some transfers of personal information outside Quebec. The exact triggers should be confirmed for your specific situation.

How long does a Privacy Impact Assessment take?

Typically four to twelve weeks, depending on the complexity of the product and the organization. A focused assessment of a single feature is at the shorter end; a full DPIA across a complex platform is at the longer end.

Can you assess AI features?

Yes. AI in a product introduces privacy questions most teams have not mapped, and an assessment covers them directly. Where deeper AI-specific threat modelling is warranted, that is a related service rather than part of the PIA itself.

Do you only work with tech companies?

The focus is software, SaaS, and technology-heavy organizations, because that is where the work is sharpest. The same assessment applies well to most organizations that handle personal data.

Want the longer read first? Before your next enterprise deal closes, someone will ask about your PIA →

Find Out What You're Carrying

The discovery call is 15 minutes. No commitment, no pitch deck. We talk through your product, what is triggering the assessment, and what the right scope looks like. If you would rather see where you stand first, the Tech Privacy Risk Score takes a few minutes.

Assessments run by Ross Saunders, CIPP/E, with 15 years in privacy and cybersecurity and a background in software and SaaS leadership.

Last updated 27 June 2026