Skip to main content

Privacy Impact Assessment (PIA)

What is a Privacy Impact Assessment (PIA)?

PIAs are a tool or process that is implemented to assess risk in relation to the collection, use and disclosure of personal information; information relating to the identity of an individual.

Concerned mainly with protection and privacy, PIAs can help organisations embed policies that prevent risk, law breaches and non-compliance with upcoming regulations like the EU General Data Protection Regulation (GDPR). By 2018, when the EU GDPR is in place, businesses should look to have PIAs embedded as part of a business approval or procurement process, including when existing processes are redesigned or otherwise changed.

When would a PIA be necessary?

  1. When introducing new electronic systems capable of capturing and storing personal data.
  2. When updates or revisions to existing processes may alter the way the company monitors or reports on personal information.
  3. When a data capturing entry point such as a form on a webpage is amended to capture additional data.
  4. When planning a new way to capture existing data, or an existing way to capture new data.

Where can I learn how to implement a PIA?

In the UK, the Information Commissioner (ICO) provides a code of practice for Privacy Impact Assessments, and this is considered necessary reading for all organisations that deal with Personal Data

How are other organisations preparing for GDPR?