Impact assessments have received particular attention on both sides of the Atlantic as a tool for implementing algorithmic accountability. The aim of this paper is to address how Data Protection Impact Assessments (DPIAs) (Art. 35) in the European Union (EU)’s General Data Protection Regulation (GDPR) link the GDPR’s two approaches to algorithmic accountability—individual rights and systemic governance— and potentially lead to more accountable and explainable algorithms. We argue that algorithmic explanation should not be understood as a static statement, but as a circular and multilayered transparency process based on several layers (general information about an algorithm, group-based explanations, and legal justification of individual decisions taken). We argue that the impact assessment process plays a crucial role in connecting internal company heuristics and risk mitigation to outward-facing rights, and in forming the substance of several kinds of explanations.