# Privacy Impact Assessment
> Source: https://legalcode.md/use-cases/privacy-impact-assessment | [HTML version](https://legalcode.md/use-cases/privacy-impact-assessment)

Assess privacy risks before you build — without creating new ones by uploading to a cloud service.

Privacy by design requires assessing privacy risks at the design stage, not after launch. Legalcode's PIA skill guides your agent through a structured privacy risk assessment for new products, features, or processes — covering both GDPR compliance requirements and broader privacy principles, with jurisdiction-aware analysis.

## How It Works

1. **Describe the product to your local agent** -- Describe the new product, feature, or process to your AI agent alongside your local design documents. What it does, what personal data it collects, who the data subjects are, and which markets it will operate in — all stay on your machine.

2. **Privacy risks identified** -- The skill identifies privacy risks across data minimisation, purpose limitation, retention, security, third-party sharing, individual rights, and cross-border transfer dimensions.

3. **Jurisdiction-specific compliance checks** -- For each jurisdiction where the product will operate, the skill checks specific compliance requirements — GDPR lawful basis, CCPA disclosure requirements, PDPA consent rules, and sector-specific rules.

4. **Mitigation recommendations** -- For each risk identified, the skill suggests specific mitigation measures — technical controls, policy requirements, consent flows, or design changes — with references to applicable guidance.

## Outputs

- Privacy risk register (risk × likelihood × severity)
- Jurisdiction compliance checklist
- Lawful basis analysis per processing activity
- Data flows map with third-party processor identification
- Individual rights obligations checklist
- Mitigation recommendations with guidance references
- DPIA trigger assessment (feeds into DPIA Generator if required)

## Jurisdictions

EU, UK, US, CA, AU, SG, BR, JP, IN, KR

## FAQ

### My product specs are confidential. Are they safe?

Your product descriptions and data flow diagrams never leave your device. The agent works with your specifications locally and queries Legalcode only for the privacy regulatory framework. Zero data retention applies — nothing about your product is logged, stored, or accessible to Legalcode.

### What is the difference between a PIA and a DPIA?

A Privacy Impact Assessment (PIA) is a broader privacy risk assessment practice. A Data Protection Impact Assessment (DPIA) is a specific legal requirement under GDPR Article 35 for high-risk processing activities. A PIA often triggers a DPIA — Legalcode's PIA skill includes a DPIA trigger assessment and links to the dedicated DPIA Generator skill if required.

### Does the skill cover the EU AI Act's privacy provisions?

Yes. For AI-powered products, the skill includes an EU AI Act risk classification assessment alongside the GDPR analysis, and identifies where the two regimes interact — particularly for high-risk AI systems that process personal data.

### Can I run this for an existing product rather than a new one?

Yes. The skill works for retrospective PIAs on existing products as well as prospective assessments. For retrospective assessments, it identifies compliance gaps and a prioritised remediation plan.

---
*Legalcode -- legalcode.md*