Privacy impact assessments and data protection impact assessments are valuable tools to gauge the ways projects, systems, programs, products or services impact the data an organization holds, and increasingly they are being required by law for certain data processing. Having a good understanding of what PIAs and DPIAs are, how to implement them and who needs to be involved can be the key to determining the true effect a new project will have on your organization.

A Privacy Impact Assessment, or PIA, is an analysis of how personally identifiable information is collected, used, shared, and maintained

How is a PIA performed

PII and related data are typically implemented on a variety of information systems. As a result, an organization's information technology (IT) department is often the first point of contact for a PIA. Systems in development as well as in production are candidates for PIAs.

Templates and software packages are available to assist in developing PIAs. They generally follow these basic steps:

Secure approval from management to conduct a PIA.
Define the purpose and goals of the PIA.
Establish a PIA team to gather data and perform the assessment.
Gather data, such as statistics on data protection activities and systems, types of data stored and how privacy is assured.
Identify the privacy controls to be assessed.
Determine if the assessment will be performed manually using a template or using software designed to perform assessments.
Conduct the assessment, ensuring the controls are addressed and evidence of how privacy is maintained is provided.
Schedule a preliminary review of the draft report with stakeholders.
Complete the report, updated with amendments from the review process, and present the finished report to management.

The benefits of conducting PIAs

In addition to demonstrating compliance with privacy laws and regulations, PIAs also help build public trust and confidence in an organization and its business processes. They provide clear evidence of the information being collected, how it's stored, the storage management system used as well as access control.

PIAs are also important evidence in privacy audits and general IT audits. Data from a PIA can provide valuable information on data characteristics. As a result, it can help reduce the likelihood of a data breach.

Privacy impact assessment vs. privacy impact statement

PIAs examine the many aspects of how information is protected and its privacy assured. The results of privacy risk assessments can be presented in a summary report called a privacy impact statement.

The five main pillars of Data Privacy

Appointment of a Data Protection Officer (DPO)
Conducting of privacy impact assessment (PIA)
Formulation of a privacy management program (PMP)
Execution of data privacy and protection measures.
Preparation of data breach management protocols.