After completing a privacy impact assessment, what must be documented?

• A. A summary of data categories and processing activities.
• B. The data subject's consent form.
• C. The privacy risks identified and the mitigations implemented.
• D. No documentation is required.

Answer: (C)

The essential outcome of a privacy impact assessment is a documented record of the privacy risks identified and the mitigations implemented. This creates an auditable trail showing how potential privacy harms were evaluated and what controls were put in place to reduce them, including any residual risk. It supports governance, accountability, and regulatory compliance, and guides ongoing monitoring of the project. While capturing a summary of data categories and processing activities is part of the PIA process, the main documentation after completion focuses on documenting the risks and the corresponding mitigations. A consent form is not universally required as part of every PIA, and saying no documentation is required conflicts with the purpose of the assessment.