A privacy impact assessment (PIA) is an essential element for effective privacy by design. It enables privacy leaders to be assured that the privacy controls implementation satisfies regulations and organizational requirements and is key to determining what steps must be taken to manage privacy risk for the organization. The standard ISO 29134 (Guidelines for Privacy Impact Assessment, June 2017) defines a PIA as the overall process of identifying, analyzing, evaluating, consulting, communicating, and planning the treatment of potential privacy impacts with regard to the processing of personally identifiable information (PII) framed within an organization’s broader risk management framework.
Figure 1 indicates the scope of PIA. Note that the term privacy impact assessment is a misnomer on two counts. First, PIA does not simply assess impact but assesses privacy risk, as explained subsequently. Second, PIA is not limited to assessment but includes selecting controls for privacy risk treatment.
Figure 1. Privacy Risk Management Framework (Note: Reprinted from Information Privacy Engineering and Privacy by Design, p. 355, by William Stallings, 2020).
The remainder of this paper looks at the principal tasks illustrated in the two left-hand columns of Figure 1.