""

 

Data Protection and Privacy Impact Assessments

Data Protection and Privacy Impact Assessments

Privacy impact assessments and data protection impact assessments are valuable tools to gauge the ways projects, systems, programs, products or services impact the data an organization holds, and increasingly they are being required by law for certain data processing. Having a good understanding of what PIAs and DPIAs are, how to implement them and who needs to be involved can be the key to determining the true effect a new project will have on your organization.

This topic page provides resources, news, tools and guidance to gain more in-depth knowledge on PIAs and DPIAs.

Featured Resources

Privacy Risk Framework for Accountability Through PIAs

In this web conference you will learn how to build a PIA framework that can establish the accountability needed to help manage privacy risk, leading practices for creating PIA/DPIAs in various environments and how to create streamlined workflows to collaborate with data owners to fill PIA/DPIAs.
Read More

The increasing importance of a DPIA

Adam Schlosser, CIPP/E, CIPP/US, founder of Bay Regulatory Strategy Group, explains why now is the time for companies to turn their attention to DPIAs.
Read More

What triggers a DPIA under the GDPR?

The IAPP has created this infographic to help you determine what kinds of activities are more likely to trigger a mandatory data protection impact assessment under the EU General Data Protection Regulation.
Read More


Latest News and Resources

DPIA Template (d.pia.lab)

Vrije Universiteit Brussel’s Brussels Laboratory for Data Protection & Privacy Impact Assessments (the d.pia.lab) developed a template that conforms to the requirements of Articles 35–36 of the EU General Data Protection Regulation (GDPR) and reflects best practices for impact assessment. The template is available in both readable and editable formats. Read More

Utilizing PIAs to limit institutional discrimination and bias

I view privacy as sitting at the convergence of what is legal, what is possible and what is ethical regarding the composition of what makes a person unique. While there are various forms of privacy, I’m going to focus on information privacy because it is perhaps the easiest to conceptualize in this situation. As a privacy community, we seem to have a firm grasp on what is legally permissible when using a person’s data. Likewise, if you have ever worked with an IT department, they are rightly qu... Read More

Laws & Regional Guidance

EU Member State DPIA Whitelists, Blacklists and Guidance

Data protection authorities of many EU member states have published draft lists of data processing activities that would trigger the need for a data protection impact assessment in that country. The European Data Protection Board weighed in on the drafts, you can find its opinions here. And IAPP Westin Fellow Müge Fazlioglu, CIPP/E, CIPP/US, has written an analysis of the opinions here. IAPP extern Darya Balybina, CIPP/E, CIPP/US, CIPM has written an analysis, "What is and what isn't subject t... Read More

Samples, Templates and Forms

DPIA Template (d.pia.lab)

Vrije Universiteit Brussel’s Brussels Laboratory for Data Protection & Privacy Impact Assessments (the d.pia.lab) developed a template that conforms to the requirements of Articles 35–36 of the EU General Data Protection Regulation (GDPR) and reflects best practices for impact assessment. The template is available in both readable and editable formats. Read More

ICO: Sample DPIA Template

This template, published by the U.K. Information Commissioner's Office, offers an example recording the process and outcomes of a DPIA. It is meant as a complement to the ICO's DPIA guidance and the Criteria for an acceptable DPIA set out in European guidelines on DPIAs. Read More

Private Sector PIA Template

This template from British Columbia's Office of the Information and Privacy Commissioner aims to assist organizations in making the most of this tool to ensure Personal Information Protection Act compliance throughout an initiative’s lifespan.  Read More