What is a Privacy Impact Assessment (PIA)?
A Privacy Impact Assessment (PIA) is a method to identify and reduce the privacy risks of your organisation. A requirement of General Data Protection Regulation (GDPR) is to conduct a PIA prior to the processing of personal data if the nature or scope of the processing could involve a high-risk to an individual.
PIAs are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations on privacy. An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. In addition the PIA should give your organisation the data inventory (required under Article 30) and a view of the actions involved to become compliant.
Three types of PIA
We see three types of PIA, two for your current practice and one for future developments:
1. Organisational PIA – to get insight in the organisational risks regarding privacy.
2. Operational PIA – to get insight in the use of personal data in your current processes and/or IT-systems.
3. New Business PIA – a consistent approach to embed privacy as an organisational practice. Every new initiative needs to be checked according to the new regulation as a part of Privacy by Design rules.