Privacy Impact Assessments (PIAs) form a fundamental part of information governance in assuring that individuals’ rights to privacy and confidentiality are appropriately protected. PIAs are used across all sectors but are particularly important in the context of personal health information as this is regarded as being sensitive information and merits higher protection under privacy legislation. In light of the forthcoming General Data Protection Regulation (GDPR) in May 2018, HIQA has revised the Guidance on Privacy Impact Assessment in health and social care to reflect the legislative changes. The guidance outlines a step-by-step process for undertaking a PIA and the important factors to be considered at each stage of the process.