Privacy Impact Assessments as a Business Tool: Make better decisions with PIAs

Privacy impact assessments are an underutilised tool that organisations can use to enhance data protection and reduce privacy risk. They come with significant benefits, like increased trust, greater transparency and better outcomes for users. Yet, many businesses and organisations aren’t using them effectively.  

This blog post will outline how privacy impact assessments can be used as a business tool so you can start making better decisions today: 

What is a Privacy Impact Assessment?  

A Privacy Impact Assessment (or PIA) is a process that organisations can use to understand the impact of a project on personal privacy and evaluate the strategies available to manage, mitigate, or reduce privacy risk.  PIAs are used to identify and manage risks; to avoid unnecessary costs through privacy sensitivity; to avoid inadequate solutions to privacy risks; to avoid loss of trust and reputation; to inform the organisation’s communication strategy and to meet or exceed legal requirements. Ultimately, PIAs help the business make decisions with a better understanding of the impacts from the proposed collection or use of personal data. 

What is the purpose of a privacy impact assessment? 

Privacy Impact Assessments & Legal Compliance 

Privacy impact assessments are often used as (and seen as) a legal compliance tool. This isn’t incorrect. In some circumstances, PIAs are required to be undertaken by law. The General Data Protection Right (GDPR) and newly enacted Virginia Consumer Data Protection Act (CDPA), for instance, both require covered entities to undertake privacy impact assessments in certain situations. In Australia, PIAs are an optional exercise that promote compliance with the Australian Privacy Principles (APPs), specifically APP 1.2 which states:  

1.2 An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that: 

(a) will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and 

(b) will enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the Australian Privacy Principles or such a code. 

However, businesses miss out on the significant benefits of PIAs by adopting the narrow view that PIAs are only a legal compliance measure.  

Privacy Impact Assessments as a Business Tool 

In our view, the purpose of privacy impact assessments is to analyse and assess information management in your business operations to identify potential risks and opportunities for improvement. They should be seen as a business tool that can be used to better inform decision making, not just a means to an end in meeting minimum compliance standards.  

When used as part of your ‘business as usual’ processes, PIAs can be used by businesses to:  

• Comply with privacy laws.  
• Improve internal privacy and information security frameworks.  
• Increase transparency. 
• Improve consumer trust and confidence. 
• Reduce risk of future costs from legal exposure.  
• Minimise the risk of reputational damage following a breach. 
• Enhance internal processes.  
• Improve information management.  
• Strengthen organisational privacy maturity. 
• Increase staff and community awareness of privacy issues. 

Using Privacy Impact Assessments as a Business Tool

PIAs are considered to be very flexible and can be easily adapted to meet changing privacy requirements. Generally, the PIA process will look something like this:  

Determine whether you need to undertake a full PIA. 

A threshold test along the lines of “is personal information being collected, used or stored as part of the project?” is often recommended. A threshold PIA asks a small number of questions to try and determine whether a more comprehensive assessment might be required. 

Questions posed in a threshold PIA might include: 

• Describe the proposed processing: This will help the privacy practitioner determine if this is the type of processing might be considered high risk such as use of innovative new technologies, data matching or processing involving the use of artificial intelligence resulting in automated decisions that could have a significant impact on affected individuals; 
• What data is involved: Questions around the data might include the type and volume of data to help assess the associated risk.  Other questions might also include where the data subjects reside so privacy practitioners can consider any potential transfer issues. 
• What third parties might be involved: This might include technology partners and service providers or business partners you might be working with to use the data for a new purpose.  Identifying whether the data will be shared with a third party and what the purpose of that sharing might be is also a useful indicator of potential risks. 

 Threshold PIAs are particularly useful in large organisations to help prioritise the processing acitivities that should be focused on by the privacy team. 

However, there are some issues with this approach. There might be some situations where you want to outline how you’re avoiding collecting personal information, for instance, which does not necessarily lend itself to the threshold PIA approach.  

If you decide to include a threshold PIA as part of your process, considerate should be calibrated to the organisational risk appetite as a deciding factor behind whether to undertake a PIA.  

It can be useful to work with a privacy professional to develop a PIA template and tailored threshold test, and Privacy 108 consultants can help with that.  

Undertake a full PIA 

Privacy Impact Assessments can differ greatly in terms of scope, form, ways of being conducted, and even language. Companies across the world assess privacy impacts and potential risks of a project or product at the outset to comply with legal obligations and/or to ensure the quality of the product or services  

Once you’ve established whether to undertake a PIA, it is useful to follow a consistent approach. The Office of the Australian Information Commissioner (OAIC) suggests a PIA process which includes the following steps:  

• Plan the PIA. 
• Describe the project. 
• Identify and consult with stakeholders. 
• Map information flows. 
• Privacy impact analysis and compliance check. 
• Privacy management — address risks. 
• Recommendations. 
• Report. 
• Respond and review. 

You can read more in the OAIC’s Guide to Undertaking PIAs. 

There are a number of different templates that can be used for PIAs.  One of the better guidance documents is that provided by the French privacy regulator, the CNIL. The resources provided by the CNIL are available here.  

The UK ICO is reviewing its guidance on PIAs.  Draft guidance is available here.  In the US, the FTC has published a list of PIAs that provide some useful guidance.  The FTC list is available here. 

Privacy Impact Assessment Consulting 

Privacy108’s team can conduct PIAs for your organisation, work with your team to establish a PIA process or provide training to empower you to undertake PIAs in-house. We recognise that PIAs should not be undertaken on a one-size-fits-all basis. Your Privacy108 PIA will be designed to fit your individual risk profile, timeline, budget, business context and IT infrastructure.  

At Privacy 108, we’re uniquely placed to oversee your privacy compliance from project initiation to end, but we’re equally happy to provide point-in-time assessments and provide an implementable action plan. 

Reach out if you need any assistance.