Duncan Greaves explains Privacy Impact Assessments as part of the GDPR:
The processes and practices implemented by organisations should reflect the methodology of using a Privacy by Design approach to business systems. Undertaking a PIA/DPIA is not a mandatory part of the GDPR, but in doing so, organisations can show that they are compliant with the Act.
Conducting a PIA is designed to accomplish three main goals:
Ensuring conformance with applicable legal, regulatory, and policy requirements for privacy.
Determining the risks and effects.
Evaluating protections and alternative processes to mitigate potential privacy risks.
Worth reading if you’re based in Europe or do business with European customers.