Impact analysis

“Impact” in GDPR programmes usually means: DPIA (high-risk processing), transfer impact (third countries), and balancing tests for legitimate interests. Use the links below to move from analysis to documented decisions in this hub.

Data Protection Impact Assessment (Article 35)

When processing is likely to result in a high risk, document the assessment, consult your DPO, and where required consult the supervisory authority.

DPIA register

Data transfers & third countries

When personal data leaves the EEA/UK, assess transfer safeguards (SCCs, IDTA, adequacy, BCRs) and residual risk. Map processors in your inventory and DPAs.

Processors & DPAs Records of processing

Legitimate interests & balancing

Where you rely on Article 6(1)(f), document necessity, reasonable expectations, and a balancing test that favours the data subject where interests conflict.

Legal basis register

Rights & harms

Impact analysis should feed into DSAR handling, breach severity, and retention—so the same facts are consistent across your programme.

DSAR Breaches

Risk register Vendor risk