Privacy impact assessment – When, how, what

Privacy Impact Assessment (PIA), primarily a North American concept around security, has been used since the 1990s, but now focuses on modern privacy risk. The EU GDPR uses the term Data Protection Impact Assessment (DPIA) to specifically assess the risk of individual rights or freedoms if a person’s data was exposed.

Below, we will discuss when a PIA/DPIA is needed, how to select the type of PIA/DPIA to be performed, and the difference between a minor and major PIA/DPIA.

1. What Triggers a PIA/DPIA

A PIA/DPIA should be performed when private information is collected, used or stored by an organization, regardless of the purpose. When evaluating if a PIA/DPIA is required you will need to determine the following:

  • Sensitivity of the private data
  • If the private data is shared
  • The volume of private data
  • How the private data will be used

Pro Tip – Follow the legal requirements the organization must comply with to determine if a PIA/DPIA is needed and if you are unclear, consider using the GDPR guidelines as they are complete and, in many cases, the most rigorous.

 2. How to evaluate the type of PIA/DPIA

When evaluating if a minor or major PIA/DPIA should be performed, you will need to consider the inherent risk  the data being exposed. Consider how data is used/shared, the impact on the person and their legal rights if the information was exposed.

Pro Tip – In general, if the information is collected directly from the internet, shared with third parties, used for any marketing or sales, or highly sensitive, a full DPIA will be needed. If minimal data is used for internal processing as part of a service, typically a minor PIA/DPIA will suffice.

 3. What does a Minor or Major PIA/DPIA consider

A minor PIA/DPIA should cover the minimum legal reporting requirements the organization must comply with. A major DPIA should cover all security and privacy aspects of collection, processing, storing, sharing, and destruction.

Pro Tip – The UK ICO has effective guidelines for reporting controls and can be used as the basis for a minor PIA/DPIA. Reach out to a privacy expert to help with major DPIAs.

Published on January 27, 2022