Calculate a weighted privacy impact score across data types, processing activities, third-party sharing, and retention periods to support privacy review triage.
The Privacy Impact Score Calculator weights data sensitivity, processing intrusiveness, third-party sharing, and retention period into a 0-100 worksheet score. It is a triage aid, not a regulator-defined compliance rating.
A higher score suggests a workflow may deserve stronger safeguards or a fuller review. The page is useful when teams want a quick screen before deciding whether to run a formal privacy assessment.
This page should be used as an internal planning aid, not as a substitute for a formal DPIA or legal review under GDPR or other privacy laws.
A simple risk-scoring worksheet helps teams compare processing scenarios and decide which ones deserve earlier privacy review. It is most useful for prioritization and documentation, not for concluding that a project is compliant or exempt from a formal assessment.
Privacy Impact Score = Σ(Risk Factor × Weight) / Σ(Max Factor × Weight) × 100 Risk Level: 0–30 = Low, 31–60 = Medium, 61–80 = High, 81–100 = Critical
Result: Score: 63.0 (High Risk)
Data types (8×30) + Processing (6×25) + Sharing (4×25) + Retention (7×20) = 240 + 150 + 100 + 140 = 630. Max = (10×30) + (10×25) + (10×25) + (10×20) = 1000. Score = 630/1000 × 100 = 63.0 (High).
Data sensitivity, profiling, third-party sharing, and retention length all change the practical privacy risk of a workflow. This page turns those factors into a common internal scoring frame so teams can compare projects more consistently.
Higher scores can justify earlier privacy review, stronger safeguards, or a fuller impact assessment. They should not be treated as a regulator-approved threshold that automatically determines whether a DPIA is legally required.
Use the score as an intake or triage tool in project approval, vendor review, and periodic compliance review. If the activity is genuinely high-risk, the next step is still a real DPIA or legal analysis rather than reliance on the worksheet alone.
Last updated:
This worksheet converts four user-scored factors into a weighted 0-100 internal screening score. The score is meant to help teams compare projects and decide whether a fuller privacy review is warranted.
It is not a regulator-defined compliance rating and it does not determine whether a DPIA is legally required. Those decisions still depend on the real processing activity, the applicable law, and formal review of necessity, proportionality, and safeguards.
A DPIA is a structured process to identify and minimize data protection risks of a project or processing activity. Under GDPR Article 35, a DPIA is mandatory when processing is likely to result in high risk to individuals' rights and freedoms.
Formal privacy assessments are often considered for systematic monitoring of public areas, large-scale processing of special category data, automated decision-making with legal effects, and other high-risk processing. A high privacy impact score suggests the workflow deserves closer review.
Special categories under GDPR include racial/ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, sex life, and criminal records. Financial data and children's data are also high-risk.
Review scores at least annually and whenever there are significant changes to processing activities, data types collected, third-party relationships, or retention policies. Major system upgrades should also trigger reassessment.
No, this calculator provides a preliminary risk screening tool. A full DPIA requires detailed analysis of processing necessity, proportionality, risks to data subjects, and planned safeguards. This score only helps decide whether a fuller review is worth doing.
Weight distribution depends on organizational context. Financial firms may weight data sensitivity highest, while marketing firms may weight sharing highest. The default of 30/25/25/20 provides balanced assessment across factors.