A DPIA (Data Protection Impact assessment) is a to systematically and comprehensively analyse process and help identify and minimise data protection risks.
DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals.
It does not have to eradicate the risks altogether, but should help to minimise risks and assess whether or not remaining risks are justified.
DPIAs are a legal requirement for processing that is likely to be high risk. An effective one can also bring broader compliance, financial and reputational benefits, helping demonstrate accountability and building trust and engagement with individuals.
It may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA.
It’s important to embed DPIAs into organisational processes and ensure the outcome can influence plans. A DPIA is not a one-off exercise so should be seen as an ongoing process, and regularly reviewed.
Text taken directly from the link attached, which is from the ICO (information commissioner office) website