What is the purpose of a privacy impact assessment under UAP Document 301?

• A. To audit financial transactions.
• B. A DPIA assesses privacy risks for new processing activities; implement mitigations and document outcomes.
• C. To review security of only third-party vendors.
• D. To train staff on document handling.

Answer: (B)

A privacy impact assessment is about identifying and managing the privacy risks introduced by new data processing. In practice, a DPIA under UAP Document 301 asks what personal data will be collected, for what purposes, and whether the processing is necessary and proportionate. If risks are found, it requires selecting mitigations to reduce those risks—like data minimization, access controls, encryption, or retention limits—and then documenting the decisions, the mitigations chosen, and the residual risk. This structured, proactive approach ensures privacy considerations are built into the project from the start and that there is a record of how privacy risks were addressed and monitored over time. Other options miss this core focus: auditing financial transactions targets financial controls, not privacy risk; reviewing only third-party security narrows the scope to vendors rather than the processing activity as a whole; and staff training on document handling is about awareness and procedures, not the assessment and mitigation of processing-related privacy risks.