pia-review-cadence
Managing PIA Review and Update Cadence
Overview
Art. 35(11) requires controllers to carry out a review to assess whether processing is performed in accordance with the DPIA, at least when there is a change in the risk represented by processing operations. A DPIA is not a one-time compliance exercise but a living document that must be maintained throughout the processing lifecycle. This skill establishes the governance framework for DPIA reviews, including trigger event identification, scheduled review cadence, version control, stakeholder sign-off, and DPIA register management.
Art. 35(11) Review Obligation
"Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change in the risk represented by processing operations."
This means:
- Reviews are mandatory when risk changes
- The controller should proactively monitor for risk changes
- Regular periodic reviews are a best practice even without identified changes
- The DPIA must be updated to reflect the current state of processing