What is a privacy impact assessment (PIA) and when should it be conducted for AI projects?

A privacy impact assessment is a structured process to identify and mitigate privacy risks that arise from data processing in a project. For AI projects, this means mapping how data flows through the system, what personal data is collected and how it’s used, who has access, where it’s stored, how long it’s kept, and what safeguards are in place to protect privacy, including considerations around model training data and potential re-identification risks. It should be conducted early in the project lifecycle—during scoping and design—especially when personal data or new data pipelines are involved, so privacy protections can be built in before deployment. This isn’t about post‑deployment performance benchmarks, financial data audits, or a legality check limited to international transfers; those describe different kinds of assessments that don’t address the privacy risks intrinsic to data processing in AI systems.