When should a Data Protection Impact Assessment (DPIA) be conducted by a TA?

A Data Protection Impact Assessment is a proactive privacy risk check done before data processing begins, especially when processing could affect individuals’ privacy or when you’re introducing new data flows. Conducting it at these moments allows you to map what data is collected, how it’s used, who has access, where it’s stored, how long it’s kept, and what safeguards are in place. That upfront work helps you identify and mitigate risks, secure appropriate protections, and determine if you need additional steps or oversight. Doing a DPIA after processing would be too late to prevent potential harms, and applying it as a routine step after every operation isn’t appropriate since DPIAs are triggered by anticipated risk, not by every activity.