CC BY-NC-ND 4.0Hansen, MalteMalteHansenRunge, GretaGretaRungeGruschka, NilsNilsGruschkaJensen, MeikoMeikoJensen2025-10-162025-10-162026https://publica.fraunhofer.de/handle/publica/497426https://doi.org/10.24406/publica-577310.1007/978-3-032-07574-1_810.24406/publica-5773According to the European General Data Protection Regulation (GDPR), a Data Protection Impact Assessment (DPIA) is mandatory for all ongoing and planned processing of personal data if said processing is likely to affect the privacy and data protection rights and freedoms of the data subjects. However, upon examining the real-world implementation of this requirement, various approaches emerged, resulting in a heterogeneous landscape of DPIA processes. In this paper, we present the results of a survey that investigated the state of adoption of DPIA process methodologies in real-world organisations. Our survey reveals that handwritten DPIA reports and ad-hoc methods continue to dominate the DPIA landscape in Europe. Moreover, according to our data, processes involving multiple stakeholders are often not adequately assessed in terms of DPIA-related risks.enDPIAData protection impact assessmentPrivacy impact assessmentGDPRconference paper