One of the most remarkable phenomena of new data protection legislation (e.g. Brazilian, European, Indian and Californian) is the adoption of a mechanism for risk measurement and prevention, which is instrumentalized by the ‘’impact assessments’’. We intend to research and discuss the methodological problems of this assessment (what is assessed? how? by whom? with whom? for whom?) and, more importantly, the methodological disputes between different methods employed by authorities, private companies and consulting companies. It will seek to point out, from the particularities of each sector, guidelines and methods for the formulation of such reports and evaluations provided for in laws, regulations and concrete cases.