This chapter examines the interplay between the GDPR and parallel private regulation in the form of privacy-related standards adopted by the International Organisation for Standardisation (ISO). Focusing on the understanding of ‘risks' in the GDPR and ISO respective ecosystems, it compares the GDPR requirement for Data Protection Impact Assessments (DPIAs) with ISO/IEC 29134:2017, a private standard on Privacy Impact Assessment explicitly referred to by EU Data Protection Authorities as relevant in the context of DPIA methods. The resulting gap analysis identifies and maps misalignments, critically reflecting on whether the parallel form of ISO regulation, in the context of DPIAs, could support or rather blurs GDPR's objective to protect fundamental rights by embracing a risks-based approach.