In data security risk governance, the DPIA program is positioned as a self-regulator of pre data risk assessment and data controllers. China has stipulated DPIA in the Personal Information Protection Law, and its application value in data security risk governance is reflected in prevention, amendment and post-relief, self-regulation to reduce governance costs and technical governance to supplement legal governance. Faced with the rapid development of intelligent technology, the application dilemma of DPIA in data security risk governance is also increasingly apparent, which is manifested in three aspects: the generalization possibility of application field, the softening tendency of self-regulation and the prevention and post-fault imputation. In view of this, from the perspective of constructing an open DPIA program, this paper puts forward four measures: accurately applying the field according to the degree of risk, ensuring the openness and transparency of the whole process of evaluation, constructing internal and external compatible collaborative governance, and linking prevention in advance and accountability after the event.