Types of Privacy Assessment
Types of Privacy Assessment
DPIA, LIA, TIA, the Article 28 processor review, PIA and the EU AI Act FRIA — what each one is, its legal basis, and when it applies.
A privacy programme runs a handful of distinct assessments, each with its own trigger and legal basis: the Data Protection Impact Assessment (DPIA), the Legitimate Interests Assessment (LIA), the Transfer Impact Assessment (TIA), the Article 28 processor review, the broader Privacy Impact Assessment (PIA), and — for high-risk AI — the EU AI Act Fundamental Rights Impact Assessment (FRIA). They are often confused because they overlap, but each answers a different question. This guide defines each, gives its legal basis, and sets out when it applies.
Key takeaways
- The DPIA (Article 35) and the Article 28 review are the legally mandatory ones; the LIA is required in substance to rely on legitimate interests.
- The TIA is for restricted transfers; the PIA is broader, voluntary best practice.
- The FRIA is an EU AI Act obligation for certain high-risk-AI deployers — it does not apply under UK law.
- They overlap by design: a high-risk activity that transfers data abroad and uses AI can need a DPIA, a TIA and a FRIA together.
DPIA — Data Protection Impact Assessment
A DPIA assesses the risk a processing operation poses to individuals' rights and freedoms, and the measures to reduce it. It is mandatory under GDPR Article 35before processing “likely to result in a high risk” — with three automatic cases in Article 35(3) and each regulator's own Article 35(4) list. For the full trigger detail, see the DPIA software guide and the DPIA requirements for Ireland and the UK.
LIA — Legitimate Interests Assessment
An LIA establishes whether legitimate interests can be the lawful basis for processing under GDPR Article 6(1)(f), through the three-part test: a purpose test, a necessity test and a balancing test. The ‘LIA’ form is regulator guidance (the ICO and the former Article 29 Working Party) rather than express GDPR text, but carrying it out is required in substance to rely on the basis, and recording it is accountability good practice. The field-by-field structure is in the LIA template.
TIA — Transfer Impact Assessment
A TIA checks whether a transfer of personal data outside the EEA keeps protection “essentially equivalent” to the EU standard. It follows the CJEU's Schrems II ruling and GDPR Chapter V / Article 46, and is required for restricted transfers relying on a transfer tool (such as the SCCs) without an adequacy decision. The full method is in the Transfer Impact Assessment guide.
Article 28 processor review
Before engaging a processor, a controller must use only those providing “sufficient guarantees” under GDPR Article 28, evidenced in a written data processing contract. This is a due-diligence and contracting obligation rather than a formal impact assessment, but it sits in the same assessment workflow because it turns on the same facts about the data and the relationship. See vendor and processor due diligence.
PIA — Privacy Impact Assessment
A PIA is a broad, early review of the privacy risks of a new project or product. It is not a defined GDPR instrument; its closest GDPR anchor is the data-protection-by-design duty in Article 25, and in an EU/UK context the operative, narrower instrument is the DPIA. A PIA is best treated as a voluntary screen that escalates to a DPIA if the processing looks high-risk.
FRIA — Fundamental Rights Impact Assessment
A FRIA assesses the impact on fundamental rights of deploying a high-risk AI system. It is required under Article 27 of the EU AI Act(Regulation (EU) 2024/1689) of certain deployers — bodies governed by public law, private entities providing public services, and deployers of specific Annex III systems — before first use. It complements, and does not replace, a GDPR DPIA. One honest caveat: the EU AI Act is not UK law, so there is no UK FRIA duty — a UK firm is only caught if its high-risk AI affects people in the EU. See the EU AI Act guide.
The privacy assessments at a glance
| Assessment | Legal basis | When it applies |
|---|---|---|
| DPIA | GDPR Article 35 | Mandatory before high-risk processing |
| LIA | GDPR Article 6(1)(f) (ICO/WP29 guidance) | To rely on the legitimate-interests basis |
| TIA | Schrems II + Chapter V / Article 46 | Restricted transfers outside the EEA without adequacy |
| Article 28 review | GDPR Article 28 | Before engaging any processor |
| PIA | Not a GDPR instrument; nearest is Article 25 | Voluntary best-practice screen |
| FRIA | EU AI Act Article 27 (EU only, not UK) | Certain high-risk-AI deployers, before first use |
Acompli runs the GDPR assessments — DPIA, LIA, TIA and the Article 28 review — in one governed workflow, with approved output feeding the Article 30 RoPA. See Assessments and the privacy assessment software comparison.
Common questions about privacy assessment types
What is the difference between a DPIA and a PIA?
A PIA (Privacy Impact Assessment) is a broad, often voluntary review of the privacy risks of a project; it is not a defined GDPR instrument and its closest GDPR anchor is the data-protection-by-design duty in Article 25. A DPIA (Data Protection Impact Assessment) is the specific, legally mandated assessment under GDPR Article 35, required before processing likely to result in a high risk to individuals, with prescribed contents under Article 35(7). In an EU or UK GDPR context the operative instrument is the DPIA; 'PIA' is best understood as the broader, best-practice predecessor or a loose synonym.
What is the difference between a DPIA, an LIA and a TIA?
They answer different questions. A DPIA (Article 35) asks whether a high-risk processing activity can be done lawfully and how to reduce the risk. An LIA (Legitimate Interests Assessment) asks whether legitimate interests can be the lawful basis for processing under Article 6(1)(f), through the three-part purpose, necessity and balancing test. A TIA (Transfer Impact Assessment) asks whether a transfer of personal data outside the EEA keeps protection essentially equivalent, following Schrems II and the Chapter V transfer tools. They overlap — a high-risk activity that also transfers data abroad can need a DPIA and a TIA — but each has its own trigger and legal basis.
Does the EU AI Act FRIA apply in the UK?
No. The Fundamental Rights Impact Assessment (FRIA) is an obligation under Article 27 of the EU AI Act (Regulation (EU) 2024/1689) for certain deployers of high-risk AI systems. The EU AI Act is not UK law, and the UK has no equivalent AI statute as of 2026, so there is no UK FRIA duty. A UK organisation can still be caught by the EU obligation if it deploys high-risk AI that affects people in the EU — but that is the EU regime applying extraterritorially, not UK law. A FRIA complements, and does not replace, a GDPR DPIA where personal data is processed.
Which privacy assessments are legally required?
The DPIA is legally mandatory under GDPR Article 35 where processing is likely to result in a high risk. The Article 28 processor due-diligence obligation is mandatory before engaging any processor. An LIA is required in substance whenever you rely on the legitimate-interests basis (Article 6(1)(f)), though documenting it as a formal 'LIA' is accountability good practice. A TIA is required for restricted transfers outside the EEA that rely on an Article 46 tool without an adequacy decision. A PIA is voluntary best practice, and the EU AI Act FRIA applies only to certain high-risk-AI deployers under EU law.
Primary sources
Related research
Legitimate Interests Assessment Template
The three-part LIA test and the fields to record under Article 6(1)(f).
Read article →Privacy Assessment Software Compared
The four types of assessment tool and the criteria to score them on.
Read article →Transfer Impact Assessments
The Schrems II method behind the TIA — mechanism, safeguards and residual exposure.
Read article →