When should DPIA be performed in MIPC projects?

DPIA is a proactive privacy risk assessment used to identify and mitigate potential privacy harms before data processing is deployed. In MIPC projects, you perform it early in planning so privacy controls can be built in from the start, and you re-run it whenever you introduce new processing or significantly change how data is processed. This keeps the project aligned with privacy-by-design, helps you assess whether processing is necessary and proportional, and guides you in choosing safeguards like data minimization, access controls, and retention limits. Waiting until after deployment can leave unresolved risks and expensive fixes. Even when not strictly required by law, integrating a DPIA during planning and for any major change ensures you manage risk proactively. For example, adding a new data collection method, expanding data sharing, or introducing profiling would change the risk landscape and warrant an updated DPIA.