Data Protection and Privacy Impact Assessments

Image

Privacy impact assessments and data protection impact assessments are valuable tools to gauge the ways projects, systems, programs, products or services impact the data an organization holds, and increasingly they are being required by law for certain data processing. Having a good understanding of what PIAs and DPIAs are, how to implement them and who needs to be involved can be the key to determining the true effect a new project will have on your organization.

This topic page provides resources, news, tools and guidance to gain more in-depth knowledge on PIAs and DPIAs.

Featured Resources

Privacy Risk Framework for Accountability Through PIAs

In this web conference you will learn how to build a PIA framework that can establish the accountability needed to help manage privacy risk, leading practices for creating PIA/DPIAs in various environments and how to create streamlined workflows to collaborate with data owners to fill PIA/DPIAs.
Read More

The increasing importance of a DPIA

Adam Schlosser, CIPP/E, CIPP/US, founder of Bay Regulatory Strategy Group, explains why now is the time for companies to turn their attention to DPIAs.
Read More

What triggers a DPIA under the GDPR?

The IAPP has created this infographic to help you determine what kinds of activities are more likely to trigger a mandatory data protection impact assessment under the EU General Data Protection Regulation.
Read More


Latest News and Resources

DPIA Template (d.pia.lab)

Vrije Universiteit Brussel’s Brussels Laboratory for Data Protection & Privacy Impact Assessments (the d.pia.lab) developed a template that conforms to the requirements of Articles 35–36 of the EU General Data Protection Regulation (GDPR) and reflects best practices for impact assessment. The template is available in both readable and editable formats. Read More

Steps to conducting a successful PIA

Salinger Privacy published a guide to ensure a successful privacy impact assessment. The tips include doing more than a legal compliance check, review the entire “ecosystem” of the technology the PIA is being conducted for, testing for “necessity, legitimacy and proportionality,” considering customer expectations, and using multiple privacy risk mitigation “levers.”Full Story... Read More

Automation is not a silver bullet for underlying PIA process issues

For over two decades, a privacy impact assessment has been an essential part of the privacy professional’s toolkit for understanding and mitigating privacy risks. In that time, there have been significant strides in automation of the PIA process. Automated assessment tools can do a lot of the heavy lifting for you, but the design and execution of a system that manages PIAs still needs a human element to make the PIA process successful. Poorly designed PIA forms that are not in tune with organiz... Read More

Laws & Regional Guidance

EU Member State DPIA Whitelists, Blacklists and Guidance

Data protection authorities of many EU member states have published draft lists of data processing activities that would trigger the need for a data protection impact assessment in that country. The European Data Protection Board weighed in on the drafts, you can find its opinions here. And IAPP Westin Fellow Müge Fazlioglu, CIPP/E, CIPP/US, has written an analysis of the opinions here. IAPP extern Darya Balybina, CIPP/E, CIPP/US, CIPM has written an analysis, "What is and what isn't subject t... Read More

Samples, Templates and Forms

DPIA Template (d.pia.lab)

Vrije Universiteit Brussel’s Brussels Laboratory for Data Protection & Privacy Impact Assessments (the d.pia.lab) developed a template that conforms to the requirements of Articles 35–36 of the EU General Data Protection Regulation (GDPR) and reflects best practices for impact assessment. The template is available in both readable and editable formats. Read More

ICO: Sample DPIA Template

This template, published by the U.K. Information Commissioner's Office, offers an example recording the process and outcomes of a DPIA. It is meant as a complement to the ICO's DPIA guidance and the Criteria for an acceptable DPIA set out in European guidelines on DPIAs. Read More

Private Sector PIA Template

This template from British Columbia's Office of the Information and Privacy Commissioner aims to assist organizations in making the most of this tool to ensure Personal Information Protection Act compliance throughout an initiative’s lifespan.  Read More