Impact assessments are essentially risk management tools, whether they are concerned with the environment, society, business, or personal data. In case of personal data, Article 35 of the GDPR requires controllers to conduct a data protection impact assessment (“DPIA”) prior to undertaking processing activities that are likely to pose high risk to the rights and freedoms of natural persons. This is essentially a holistic risk assessment taking into account the nature, scope, context and purposes of the processing.