Privacy Impact Assessment Score Calculator
Evaluate your organization's privacy risk by scoring key factors across data sensitivity, volume, processing purpose, security controls, and third-party sharing. The resulting PIA score (0–100) indicates your overall privacy risk level.
Select the highest sensitivity level of data processed.
Enter the estimated number of data subjects whose data is processed.
Select the primary purpose for which personal data is processed.
Rate your implemented security controls: encryption, access control, audit logs, incident response, etc.
Select the level of third-party or cross-border data sharing involved.
Enter how long personal data is retained in months.
Your PIA score will appear here.
Formula
PIA Score = S + V + P + M + T + R (capped at 100)
- S (Sensitivity, 0–30): S = ((sensitivity_level − 1) / 3) × 30 | Levels: 1=Public, 2=General PII, 3=Sensitive, 4=Special Category
- V (Volume, 0–20): V = min((log₁₀(individuals) / 8) × 20, 20) | Logarithmic scale; 8 = log₁₀(100,000,000)
- P (Purpose Risk, 0–20): P = ((purpose_level − 1) / 3) × 20 | Levels: 1=Operations, 2=Marketing, 3=Automated Decisions, 4=Surveillance
- M (Security Gap, 0–15): M = (1 − controls_score / 10) × 15 | Higher security controls reduce the score
- T (Third-Party Sharing, 0–10): T = (sharing_level / 3) × 10 | Levels: 0=None, 1=Trusted, 2=Multiple, 3=Cross-border
- R (Retention, 0–5): R = min((log₁₀(months) / log₁₀(600)) × 5, 5) | Logarithmic scale; 600 months = 50 years
Risk Bands: 0–24 = Low | 25–49 = Moderate | 50–74 = High | 75–100 = Very High
Assumptions & References
- The scoring model is aligned with GDPR Article 35 (Data Protection Impact Assessment) criteria and the ICO's DPIA guidance.
- Sensitivity levels follow GDPR Article 9 special category classifications and general personal data definitions under Article 4.
- Volume scoring uses a logarithmic scale because privacy risk grows sub-linearly with scale (consistent with CNIL and ENISA risk methodologies).
- Security controls scoring reflects the NIST Privacy Framework and ISO/IEC 27701 control implementation maturity.
- Third-party sharing risk reflects GDPR Chapter V requirements for international transfers and Article 28 processor obligations.
- Retention risk is based on the GDPR storage limitation principle (Article 5(1)(e)); longer retention periods increase risk exposure.
- A score ≥ 50 (High Risk) triggers the recommendation for a formal DPIA per GDPR Article 35(1) and supervisory authority guidelines.
- This calculator provides a screening-level estimate. It does not replace a full DPIA conducted by qualified privacy professionals.
- References: GDPR (EU) 2016/679; ICO DPIA Guidance (2018); ENISA Privacy and Data Protection by Design (2014); NIST Privacy Framework v1.0 (2020); ISO/IEC 27701:2019.