I’m in the midst of a few projects this week that have me helping clients with privacy impact assessments. In the 21 years I’ve been doing this, I’ve yet to encounter a project like this that I could characterize as mundane. Even the most seemingly innocuous projects that involve personal information inevitably raise interesting privacy issues.

One of the lessons I try to impart on my clients when helping with PIAs is my belief that the final report is never really that. What I mean is, it’s never final. Instead, I think PIAs work best when they are characterized as living documents. My advice to those who manage privacy programs is to use a tickler system to ensure that completed PIAs are routinely brought back to life. It need not be an exhausting task; rather, it simply requires an examination of the current state of the program and a measurement of it against what was contemplated when the PIA was written. Differences should be noted and, if done with some analysis, this might prompt further privacy-risk mitigation strategies.

Another piece of advice I’ve been doling out is that not all PIAs have to take months to complete, take up too many resources, or be all that expensive. Sure, some projects require more in-depth analysis, and sometimes they will be complicated. But, in other instances, the program or activity simply requires that you review it through a privacy lens to ensure you’re doing everything legally and in accordance with fair information practices.

I mention my thoughts on PIAs today because, as I mentioned, I’ve been involved in several this past week so they are top of mind. In addition, they seem worthwhile mentioning because of all the news this week about Sidewalk Labs releasing some of their plans with respect to privacy and data stewardship. We cover some of the stories below. What’s clear is that PIA work (or work similar to that) should definitely be keeping some people busy as that project continues — or at least I hope it is!

Have a great weekend.