Generally, privacy impact assessments (PIAs) are defined as evaluation tools that help to better understand how information is gathered, used, maintained, and shared. It’s a formal analysis used to assess what privacy risks exist within the information processing activities that drive specific products and services.
Given how paramount privacy has become in the digital landscape, PIAs have become very popular among government agencies and other similar entities, but these assessments can also prove useful for private organizations as well.
As part of our dedicated privacy practice, we’re very familiar with many different tools organizations can use to protect the privacy of customers’ information, and the PIA represents just one. In this article, we’ll detail the requirements of a privacy impact assessment, where it would fit within your existing processes—as it may be required—and the value and benefits of adding a PIA to your cybersecurity regimen.
What is the Purpose of a Privacy Impact Assessment?
In the development process, many organizations prioritize innovative new products and features to improve user experience for their customers and support their product roadmaps. That’s your priority, after all, and as such it can be easy to get caught up in those opportunities that new data source integrations, partnerships, and use cases may offer.
At the same time, all organizations should have an established risk management program that supports this development process, and a privacy impact assessment would be a critical component.
In requiring you to think critically about how the information processing that supports your products and services may impact individuals, a PIA formally assesses and documents key factors about information processing before it begins so that you can take action to proactively identify and mitigate privacy risks to individuals.
Factors assessed during a PIA can include, but are not limited to, the following:
- What information will be collected—such as specific data elements—and whether the data may be considered sensitive under certain laws or regulations
- Data sources and how the information was obtained
- Legal basis for data collection, such as whether the data was publicly available, if consent from individuals or data subjects was obtained, etc.
- How the information will be used and what specific products or features will process the data
- Whether the information will be shared with any third parties or subprocessors
- How long the information will be retained and how it will be disposed of
- What security controls will be implemented to safeguard that data (e.g., encryption, pseudonymization, access control, etc.)
- Internal points of contact or business owners with management control over the various processing operations that can answer questions and influence product strategy.
Once this preliminary information is collected, the individual or team responsible for conducting PIAs within your organization—be they within your privacy, legal, or governance, risk, and compliance departments—can proceed with obtaining input on the next steps from applicable business stakeholders as needed.
To ensure a successful process, you should perform a PIA on a defined frequency, or upon a specific trigger, such as a change in processing, to ensure that these specific risks—and any new ones that are introduced—remain mitigated.
The Privacy Impact Assessment Process
When you do perform a PIA, here’s a brief overview of how that process would work, step-by-step:
- Define the scope and objectives of the assessment, including the specific processing activity(ies) under evaluation.
- Identify the personal data involved, its sources, and the purpose for which it is collected.
- Assess the risks associated with the collection, use, and disclosure of personal data, considering factors such as data sensitivity, potential harm to individuals, and security vulnerabilities.
- Evaluate the privacy safeguards and controls in place to protect personal data, including technical and organizational measures.
- Document findings, recommendations, and an action plan to address any identified privacy risks or deficiencies.
Best Practices for Minimizing Privacy Impacts
Again, it’s important to periodically monitor and review these impact assessments to ensure ongoing compliance and effectiveness. Keeping that in mind, here are other steps you can take to help ensure you achieve optimal results from your privacy impact assessments:
- Maintain transparency and clear communication during the entire assessment to foster trust among individuals whose data is being assessed; and
- Involve stakeholders, such as data owners, data protection officers, IT professionals, and legal experts throughout the process for their diverse perspectives and expertise, including input from those directly impacted by the data processing activities, when feasible.
- Engage privacy and data protection experts throughout the product development lifecycle.
- Provide regular and ongoing privacy training for employees to ensure awareness of privacy obligations and best practices, at the very least for those involved/impacted by the PIA process.
- Document and maintain comprehensive records of privacy impact assessments, including findings, recommendations, and actions taken.
Why You Should Perform a Privacy Impact Assessment
These practices are helpful, but PIAs themselves remain useful regardless because, while traditional risk assessments primarily focus on risks and threats to the confidentiality, integrity, and availability of information systems and assets, a PIA creates a platform for you to contemplate the additional potential consequences or adverse impacts to the individual you serve that could result from the data processing activities connected to a specific product or service.
For example, could the aggregation of specific data elements create unforeseen privacy risks to individuals if a malicious actor compromised the dataset? How might those risks impact individuals, and what measures can be implemented to mitigate the risk or reduce its impact?
Documenting these criteria alongside any other applicable industry-specific, sectoral, or regulatory compliance obligations can help you make more comprehensively informed decisions regarding risk treatment plans and ensure that any technical measures implemented are both feasible to maintain and effective in mitigating risk.
When is a Privacy Impact Assessment Required?
To determine whether you should move forward with a PIA, consider the following:
- What is the nature of the information your organization collects, processes, and stores to provide products and services? Is it sensitive or pertinent to someone’s identity?
- Do you have contractual obligations to customers to safeguard the privacy of the information you collect?
- Is your organization subject to any unique industry, sectoral, and regulatory compliance obligations regarding data privacy?
(And if the answer to these is yes, you’ll also need to consider your organization’s role as a controller or processor of personally identifiable information (PII) before moving forward with a PIA.)
Of course, specific scenarios may arise that would trigger a PIA as well, such as:
- The introduction of new data processing technologies or systems that involve significant data collection or processing that could be considered high risk.
- Changes to existing data collection, use, or storage methods that may impact individuals' privacy rights
- Large-scale data sharing or transfers, especially when involving sensitive or personal data
Aside from those circumstances, establishing an operational PIA process can also effectively maintain compliance with various regulations and standards, including the General Data Protection Regulation (GDPR) and ISO 27701 standard for privacy information management systems.
To help you get started in the process, multiple supervisory authorities have published guidance on their websites regarding PIA requirements unique to their jurisdictions, including:
- The United Kingdom (UK) Information Commissioner’s Office (ICO)
- Australian Office of the Information Commissioner (AOIC)
- France’s supervisory authority, CNIL
- Canada’s Office of the Privacy Commissioner
- The European Data Protection Board (EDPB)
The Benefits of Privacy Impact Assessments
Even if your organization isn’t legally required to conduct PIAs, undergoing the PIA process will not only better serve your customers—whose personal information will be better protected—but it will benefit your organization as well.
How?
By design, the PIA serves as an additional layer of due diligence that promotes accountability and helps identify potential issues in data processing activities before they arise. As such, when implemented effectively and conducted before planned changes to information processing begin, a PIA can be a significant driver of cost savings and return on investment (ROI) for organizations.
On the other hand, implementing changes to processing activities without incorporating this step can leave you vulnerable to legal and reputational risks—not to mention potentially significant financial repercussions.
Financial penalties and losses resulting from mishandling personal information and data breaches are on the rise—the average cost of a data breach reached $4.45 million in 2023. Given that, and as the “patchwork” of comprehensive state privacy laws emerging in the United States continues to grow, it has never been more important for organizations to implement a process to document and proactively address privacy risks, and a PIA can help get you started on improving and maintaining trust with customers and stakeholders.
Frequently Asked Questions about Privacy Impact Assessments
What’s the Difference Between a Privacy Impact Assessment and a Data Protection Impact Assessment (DPIA)?
Both a PIA and a DPIA serve the purpose of assessing and managing privacy risk; however:
- A DPIA is broader in scope as it also includes data protection considerations such as security, data retention, and data subject rights—that’s because it’s generally more focused on the risks to data subjects and individuals in general while PIAs typically concentrate on general privacy concerns and practices for the organization.
- A DPIA is also specifically required in instances where the activities in scope are likely to result in a high risk to "the rights and freedoms of natural persons".
How Often Should a PIA Be Conducted?
The frequency of your PIA will depend on factors such as the nature of your organization’s operations, the sensitivity of processed data, and the evolving regulatory landscape. While they should be performed every time you introduce any net new processing activities involving personal data, we also recommend reviewing your PIA annually even if no new implementations are made.
Next Steps for Your Privacy Impact Assessment
As the privacy landscape remains ever-evolving, lapses in the protection of personal information can be devastating for an organization entrusted with it. As you continue to navigate the complexities of the various privacy regulations your organization is subject to, a privacy impact assessment would make for a beneficial addition to your privacy program and overall risk management processes.
To learn more about recent privacy updates and other options you have to prove your safeguards, check out our other articles:
- What is the EU – U.S. Data Privacy Framework?
- The Benefits of an APEC CBPR/PRP Certification for Your Organization
- What You Need to Know About the CPRA
If you find you have more specific questions regarding your privacy needs and would value an expert opinion, please contact us, as our experts would be happy to help you determine which solution would suit your organization best.
About Kathryn Young
Kathryn Young is a senior associate with Schellman based in Providence, Rhode Island. She currently performs privacy assessments and certifications related to ISO 27701, GDPR, SOC 2, and Microsoft DPR, among others. Before joining Schellman, Kathryn worked in a variety of privacy compliance and cybersecurity-focused roles in the information technology and healthcare sectors. She has her master's degree in cybersecurity and international cyber law from Norwich University and is an active member of the International Association of Privacy Professionals (IAPP) and Women in Cybersecurity (WiCyS) Privacy, Law, and Policy Affiliate.