This paper undertakes to decompose the notion of “Data Protection Impact Assessment” pursuant to the definition and the requirements set forth in Article 35 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR” or the “Regulation”). The paper defines the exact circumstances under which the conduct of a Privacy Impact Assessment is mandatory and highlights the key points for a proper implementation from a procedural perspective. Throughout all the aforementioned steps, additional deliberation will be provided in order to distill the terms and conditions mentioned in the Regulation, Article 29 Data Protection Working Party (hereinafter “WP29”) and European Data Protection Board (hereinafter “EDPB” or the “Board”) guidelines and opinions. In order to achieve an efficient comprehension of the current document a good knowledge on the fundamental notions of privacy and security is required.