Have you ever noticed that when you mention privacy impact assessments — of course, they’re PIAs in privacy-speak — you’ll usually hear a lot of groaning and you’ll also see the occasional eye roll?
Please help me understand why that is.
Is it because of how bureaucratic and boring the term sounds? Is it because some of the tools privacy pros have to conduct them, like the dreaded Treasury Board template, are outdated and unwieldy? Or is it that they’re simply not the most exciting privacy thing to read if you compare it to
Call me a privacy nerd, but I find PIAs super interesting. This week, members of my firm had a friendly banter about the merits of PIAs and we all agree they’re incredibly helpful for properly analyzing, understanding and advising on countless client initiatives when done well. I know some privacy pros who really enjoy doing them, because it enables them to unravel some complex privacy questions and carve out solutions that help initiatives actually move forward in a privacy-protective way. What I also find interesting is that with PIAs, the process itself is just as important as the outcome.
Anyway, what’s great is that we’re seeing more and more private-sector organizations doing them — they’re not just for government departments, mandated by policy. And laws are starting to include them. We recently saw the new British Columbia public sector law updated to require them. Meanwhile, Quebec’s Bill 64 amended its private-sector law to make them mandatory in certain situations. Let’s see over the next while how many jurisdictions make them a legal requirement in both the public and private sectors.
How many of you are doing PIAs in the private sector? I’d love to hear your thoughts on this.
I also think what PIAs need is a massive rebrand. So, if anyone has a better and more scintillating name for them, please share.