Privacy Impact Assessments

People care about privacy, so you should too.


Privacy Impact Assessments (PIAs) are key to managing privacy risk and regulatory compliance, whilst protecting the privacy of your consumers and your organisation’s reputation. They are an essential tool for assessing the privacy impacts of new initiatives, products, solutions and services and identifying ways of mitigating any potential issues.

Privacy impact assessments may be required for projects such as systems implementations, product rollouts or process enhancements which involve changes to the way you process of personal information. Privacy impact assessments may also be required if there is a change to relevant laws, or if you are selling your product into a new international market. Even if not required by legislation, PIAs are a great tool to help identify privacy issues and solutions early in the process and ensure that your products or services are more robust, futureproof and successful in ensuring privacy protections.

Conducting PIAs is an essential part of building a Privacy by Design culture for your organisation.

Privacy 108’s approach to PIAs considers technological issues as well as the relevant legal or compliance concerns. Our experienced team of lawyers and information security experts are well-equipped to identify, analyse, and mitigate against a full range of potential privacy issues.


Our expertise includes:

  • Undertaking and completing specific PIAs, including identifying mitigations and remediations for any identified issues;
  • Developing a whole of organisation  PIA process  aligned with your organisation’s existing risk assessment processes and protocols;
  • Drafting PIA templates for use by your organisations, together with supporting guidance documents and other collateral;
  • Reviewing completed PIAs and assessing the maturity status of the implementation of recommendations;
  • Establishing templates and workflows for PIA as part of embedding the process in your business’ product development lifecycle;
  • Setting up assessments and workflows for PIAs in OneTrust; and
  • Training your organisation in how to conduct PIAs.

Our privacy impact assessments are comprehensive and practical, as such, they all include future-focused recommendations and actionable steps.


How this Service Helps

Our team will make it as simple as possible to complete your PIA.  We have a range of templates, resources and tools that we use to ensure we deliver a PIA that meets your needs and ensures that privacy compliance is ‘built-in’ to your products, services and business processes and not just cobbled up as an afterthought.


How this Service Works

Our approach to undertaking a PIA includes the following:

  • Data gathering via interviews, workshops and document reviews to understand what is being proposed;
  • Consideration of privacy, security and ethical issues;
  • Discussions of initial findings with key stakeholders;
  • Preparation and delivery of final report.

We offer our PIA services as either an iterative planning tool that can inform decision making throughout a project, or as a point-in-time analysis.

Our team can also work with you to embed a PIA process into your business.  To do that, our team would undertake the following:

  • Review existing processes and procedures to identify where PIAs should fit in the business;
  • Data gathering via interviews and workshops with stakeholders to help socialise the development of the PIA process;
  • Design of workflows and templates to be used as part of the PIA process;
  • Review and approval of the PIA process, including all supporting collateral;
  • Implementation of PIA process and fine tuning in response to business requirements.

For further information on Privacy Impact Assessments see our FAQ’s at the bottom of this page.


What you Get

The deliverable from a PIA, is a detailed report.  Our team works with you to make sure we understand all your requirements, and to ensure our report meets your needs.

Typically, the Privacy 108 PIA report will include:

  • A comprehensive project description, including a high-level overview of relevant privacy concerns.
  • Data flow mapping: a detailed map that demonstrates the flows of personal information (internally and external to the organisation). This map also documents relevant legislative and organisational rules and considerations.
  • Privacy impact analysis, including details of the potential and likely impacts on privacy and information security relevant to your organisation.
  • Privacy management: a practical overview of alternative options that can improve privacy outcomes.
  • Recommendations: our final report outlines the recommended next steps for eradicating or mitigating any privacy risks, whilst embedding a culture of privacy awareness into your organisation.

Our team is happy to work with you on developing PIA remediation plans and implementing recommendations.


What it Costs?

We try to make our costs as transparent as possible but as Privacy Impact Assessments can vary greatly in their complexity depending on the underlying project, each engagement needs to be costed individually.

Our rates are competitive and will be supported by a detailed quote that specifies the work we will undertake and the deliverables you will receive.

We are more than happy to discuss your PIA with you and come up with a fully costed proposal at no cost to you.


The Importance of Managing Privacy

Collection, storage, use, or disclosure of personal information comes with an element of risk. Managing privacy is crucial for organisations who want to comply with their legal obligations. Yet in many cases, consumers expect organisations to go further than what the regulators require. Building and maintaining consumer trust takes transparency and a strong culture of privacy.

Privacy Impact Assessments promote trust, mitigate risk, and aid organisational decision making. Using the insights gleaned from a PIA, your organisation can implement better processes, better technologies, and a better privacy framework.

Privacy Impact Assessments FAQs

What is a Privacy Impact Assessment?

Determining whether a privacy impact assessment is necessary is another emerging issue. In some cases, you will be required to perform a Data Protection Impact Assessment, also referred to as a DPIA under the GDPR. In others, you may wish to undertake a PIA to protect your organisation’s reputation or to reduce the risk of a privacy breach.

Many providers propose a two-stage assessment in determining whether a PIA is required: a threshold test that queries whether personal information will be collected, used, stored, or disclosed, followed by a more comprehensive analysis. However, this approach doesn’t take risk appetite into account. Low-risk appetite can lead to every activity going through a Data Privacy Impact Assessment, which can be time-consuming, cumbersome and clumsy. Conversely, a high-risk appetite can lead to legitimate privacy issues being overlooked, which can have expensive consequences.

We work with you to first determine whether you need a privacy impact assessment, giving you the tools to make these determinations for yourself in the future.

A Privacy Impact Assessment is a tool used by organisations looking to understand and evaluate privacy risk. PIAs allow you to continually assess, analyse, and manage privacy risk and privacy challenges in your organisation.

PIAs are not a one-off compliance exercise, though they can be used to provide point-in-time risk assessments. We prefer the view that PIAs should form part of your organisation’s core planning tools. Privacy Impact Assessments can be used to:

  • Identify personal data collected, used, or disclosed as part of a project and assess the likely impact of that collection, use, or disclosure on data subjects,
  • Assist in strategic and informed decision making; and
  • Mitigate privacy risk and identify opportunities for improved information management.

Why undertake a Privacy Impact Assessment?

Some organisations, particularly those in the public sector, are required to undertake Privacy Impact Assessments. Increasingly, though, private organisations are relying on Privacy Impact Assessments to mitigate risk and aid organisational decision making.

More than this, undertaking a PIA is best practice where personal data is being collected, used, stored, or disclosed. The risks of not performing a PIA include legal compliance issues, privacy breaches, loss of credibility or reputational damage, perceived (or actual) lack of transparency, increased costs of compliance, and band-aid solutions that aren’t suited to long-term privacy priorities. Since PIAs can be relatively straightforward if there aren’t significant privacy concerns, the benefits of undertaking a PIA typically outweigh any drawbacks. This is especially true if you rely on a privacy provider who provides practical, future-focused solutions – like Privacy 108.

Finally, PIAs are an important part of the privacy by design process. They support the early identification and management of privacy protective and enhancing solutions. By performing PIAs early and often, you create a culture of privacy that will provide benefits to your organisation and to your consumers, today and into the future.

For more on how Privacy 108 can help with Privacy by Design.

What are the benefits of a Privacy Impact Assessment?

There are significant benefits of incorporating PIAs into your ‘business as usual’ processes and for undertaking them in advance of your next project. Some of the benefits of a privacy impact assessment include:

  •  Compliance with privacy laws.
  • Improved internal privacy and information security frameworks.
  • Transparency and increased public trust and confidence.
  • Reduced risk of future costs from legal exposure and/or reputational damage.
  • Better internal processes.
  • Improved information management.
  • A strengthened culture of privacy.
  • Increasing staff and community awareness of privacy issues.

Why choose Privacy108 for your Privacy Impact Assessment?

There are plenty of Privacy Impact Assessment templates available online. So, why would you choose Privacy108 for your PIA? Because we streamline the process of assessing your risk.

Privacy108 understand both information security and privacy law. We approach your PIA from a legal and IT perspective, assessing risk holistically and developing practical solutions to mitigate privacy risk.

Our approach recognises that PIAs should not be undertaken on a one-size-fits-all basis. Your Privacy108 PIA will contemplate your individual risk profile, timeline, budget, and IT infrastructure. We’re uniquely placed to oversee your privacy compliance from project initiation to end, but we’re equally happy to provide point-in-time assessments and provide an implementable action plan.


Who are Privacy 108?

Privacy108 is owned and led by one of Australia’s leading security and privacy professionals, Dr Jodie Siganto. The Privacy108 team includes lawyers, consultants and trainers who between them hold many years of experience in delivering privacy and security solutions for Australian organisations.

We have worked as in-house counsel and senior executives, and understand the pressures faced by executives, CISOs, Chief Privacy Officers, procurement teams and in-house lawyers. Our team’s industry experience is complemented by extensive legal knowledge and a desire to assist our clients with high quality practical advice.

Contact Us

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Talk to us?

Looking to take your business to the next level? Speak with our experts today!

Call 1300 41 20 50  or

Recent Insights