PIA and DPIA: which statement correctly distinguishes them?

PIA is a general privacy risk assessment used across projects to identify and mitigate privacy impacts. DPIA, on the other hand, is a GDPR-specific process that must be conducted for processing activities deemed high risk to individuals’ data rights. Under GDPR, a DPIA examines what data is collected, how it’s used, the necessity and proportionality of the processing, the potential risks to data subjects, and the safeguards in place, often involving consultation with stakeholders or authorities. This clear distinction—PIA as a broad privacy risk assessment and DPIA as a GDPR-specific high‑risk requirement—is why the correct statement is that PIA is general privacy assessment while DPIA is GDPR-specific for high-risk processing. The other options don’t fit because DPIA is not merely a general privacy assessment, PIA isn’t GDPR-specific, they aren’t the same thing, and DPIA isn’t limited to data localization.