Privacy Impact Assessment (PIA)

For companies or organizations process massive amounts of sensitive personal data; or those companies with the implementation of privacy-intrusive technologies involving collection, procession, or sharing of large amounts of personal data, privacy impact is one of the biggest challenges. As a company of those, is responsible for ensuring the personal privacy is well protected to control and minimize the privacy risks at all times. Then Privacy Impact Assessment (PIA) is the right tool for you.

What is Privacy Impact Assessment (PIA)?

The Privacy Impact Assessment (PIA) is a widely accepted privacy compliance tool and a lot of companies adopts it before the new business project launch. It is to review and analysis if there might have risks or significant impact on personal data privacy of its new services, systems or technologies.

Technically, Privacy Impact Assessment is the overall process of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of personally identifiable information, framed within an organization’s broader risk management framework.

Privacy impact assessment (PIA) can be an instrument for:
— assessing the potential impacts on privacy of a process, information system, programme, software module, device or other initiative which processes personally identifiable information (PII);
— taking necessary actions, in consultation with stakeholders, to treat privacy risk.

Usually, PIA would be initiated at the beginning of the project. It comprises a set of screening processes, including the description of privacy information flows in a project, the analysis of the possible impacts on individual’s or privacy; continuously with the identification and recommendation options for avoiding, minimizing, or mitigating negative privacy impacts, to achieve the goal of minimizing the potential negative impacts and enhancing the positive privacy effects.

The management of the companies and organizations can build up the privacy considerations into the design of a project. This is a cost-effective way of reducing privacy risks.

Show less

Who is PIA suitable for?

PIA is applicable to all those companies and organizations involved in designing or implementing projects, especially for those areas by using public health databases, linking of databases, surveillance projects, new technology in ID applications, data warehouses, etc.

What are the benefits of PIA?

A PIA provides a way to detect potential privacy risks arising from the processing of PII and thereby informing an organization of where they should take precautions and build tailored safeguards before, not after, the organization makes heavy investments.
A PIA contributes to an organization’s demonstration of its compliance with relevant privacy and data protection requirements in the event of a subsequent complaint, privacy audit or compliance investigation.
An appropriate PIA demonstrates to an organization’s customers and/or citizens that it respects their privacy and is responsive to their concerns.
A PIA enhances informed decision-making and exposes internal communication gaps or hidden assumptions on privacy issues about the project.
A PIA enables an organization to learn about the privacy pitfalls of a process, information system or programme upfront, rather than having its auditors or competitors point them out.
A PIA can help an organization gain the public’s trust and confidence that privacy has been built into the design of a process, information system or programme.

Functions of PIA Reporting

PIA reporting should fulfil two basic functions.

The first (inventory) keeps the specific stakeholders informed of identified affected entities, affected environment and privacy risks about the life cycle
of the affected entities, whether it is inherent or mitigated.
The second (action items) is a tracking mechanism on the actions/tasks that improve and/or resolve the identified privacy risks. Sensitivity
to the distribution and release of the reporting information should be clearly assessed and classified (private, confidential, public, etc.).

When is a PIA required?

Typically, an organization should consider a new or updated PIA if it perceives impacts on privacy from:

a new or prospective technology, service or other initiative where PII is, or will be, processed,
a decision that sensitive PII (see ISO/IEC 29100:2011, 2.26) is going to be processed,
changes in applicable privacy related laws and regulations, internal policy and standards,
information system operation, purposes and means for processing data, new or changed data flows,
etc.; and
business expansion or acquisitions.

Contents of PIA Report

Depending on the service scope and particular service requirements, a PIA report may address some or all of below items:

the report structure,
the scope of the assessment,
the privacy requirements,
the risk assessment,
the risk treatment plan,
the conclusion and decisions taken on the basis of the outcome of the PIA, and
a PIA public summary to inform PII principals about the level of risk associated with the programme, information system, and the process implemented in which their PII will be involved.

How does PIA work?

First, we want to learn about your company, the purpose and rationale behind the project.

Once the goals of the verification and the structure of PIA are defined, the six data protection principles ("DDPs") are adopted for data processing cycle analysis:
DPP1. the purpose for which and the circumstances under which the personal data is collected
DPP2. the policy regarding the retention of the personal data and the maintenance of its accuracy
DPP3. the processing (including transfer and sharing) of the personal data
DDP4. the security safeguards to prevent unauthorized or accidental access, processing, erasure, loss or use of the data
DDP5. the privacy policy and practices to be devised
DDP6. the procedures for complying with data access and correction requests

Privacy risks analysis will be applied to identify the key areas of privacy concerns.

This is the phase that will allow to develop a corrective action to avoid or mitigate privacy risks.

A detailed PIA report will be submitted including the findings.

How much does Privacy Impact Assessment cost?

Since every company has different prerequisites and individual requirements for privacy risk assessment, the costs for the analysis and reports according to Privacy Impact Assessment cannot be given as a lump sum. Please contact us: we will make you a customized offer based on an objective assessment and your requirements.

What you can expect from us?

More than 35 years of experience in the certification of management systems and processes, including information security and privacy information security segments.
Industry-experienced assessors from the worldwide DQS network
Value-added insights into privacy impact assessment in your company
Meaningful reports including findings.

Depending on the scope of a particular project, the assessment team will be assigned experts of different professional IT security qualifications, such as CISA, CISM, CISSP, CEH, CIPP, CIPT, CDPO, ISO 27001 / 27701 Auditor, etc.

Choose your language or country

Privacy Impact Assessment (PIA)