What Is a Privacy Impact Assessment?

By Emma Lindblom
Updated on June 24, 2021
Reading time: 5 minutes

Customers care about how businesses handle their privacy concerns and appreciate those that do so with proper diligence. Not only do you need to do so to maintain customer satisfaction, but the law also implies certain privacy standards for dealing with sensitive information. Since these privacy obligations are ongoing, it is up to you to ensure that your business meets them. One way to do so is to conduct a privacy impact assessment (PIA) for analysing new projects or existing systems. This tool goes through the potential privacy risks of a project and evaluates the project’s privacy impacts. This article will explain what a privacy impact assessment is and the actions involved in the process.

What Is a Privacy Impact Assessment?

A privacy impact assessment is an evaluation/report tool that you can complete if you start a new project at your business or change an existing system. Its purpose is to analyse the impact a project may have when you are handling personal information. Personal information is any data that can identify an individual, such as names or credit card details. Therefore, when you handle such information you need to do so in a way that:

  • complies with the law;
  • is secure;
  • is transparent; and
  • protects customer privacy.

What Can a Privacy Impact Assessment Achieve?

A privacy impact assessment can help to achieve the goals mentioned above. In order to meet legal requirements, your privacy impact assessment should:

  • identify potential privacy risks attached to personal information;
  • examine both positive and negative privacy impacts of the project;
  • check for compliance with the Privacy Act and its principles;
  • decide how you can adjust project parameters to meet your privacy obligations; and
  • exist as an adaptable reference point throughout your project or system change.

Your privacy impact assessment needs to identify how your project will impact your customers’ privacy while still meeting its objectives. It should be an independent evaluation of your project or change in system.

For example, say that you are developing an app that uses customers’ locations to find vegan restaurants in the area. A PIA would identify the risks involved with collecting such location data and what you can do to reduce those risks.

What a Privacy Impact Assessment Involves

The complexity of your privacy impact assessment will correspond to that of your project. Your Privacy Officer does not have to take part, but it can be beneficial for someone on the team to be familiar with privacy issues. If needed, the Privacy Commission can provide advice and resources.

The exact steps for your PIA process will vary according to the nature of your proposal. However, according to the Privacy Commission, the following structure is recommended.

Gather Information and Map Out Usage

You need to identify all of the information you need to complete a PIA and its sources. Plan out its lifecycle across your business, from collection to disposal. Find out whose privacy the proposal affects, and how. Decide how long you will need the information for and who you need to inform of its collection.

Check Privacy Principles

Compare your proposed project with the privacy principles in the Privacy Act. Go through each one, and determine which ones are particularly relevant for your proposal. How are you meeting your privacy obligations? Are your proposed tasks consistent with the standard that the law gives? For example, one of the privacy principles focuses on the accuracy of personal information. Consider how this standard works with your project and how you will make sure the information you collect is accurate.

Identify Privacy Risks and Mitigate

Next, you need to identify potential privacy risks associated with the personal information you will use in your proposal. Potential risks include dealing with information that is:

  • excessive or irrelevant;
  • not secure;
  • inaccessible, such as a remote location for physical documents;
  • incorrect; or
  • used outside of its initial purpose for collection.

Your PIA should lay out ways you can mitigate these risks and establish security controls.

Produce a Report

Summarise the above in an organised report, and also be sure to map out points in the future where you come back and evaluate.

Take Action & Review

Go through with your project while implementing the controls you developed in your PIA for protecting privacy. Review and adapt your PIA as the project develops and new information comes to light.

Key Takeaways

A privacy impact assessment is an evaluation process you can use to identify how a new project or system change will affect the privacy of your customers and others. If you deal with sensitive personal information, a PIA is an excellent way to ensure that you meet your privacy obligations and fulfil customer expectations. If you would like more information or help with your privacy impact assessment, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is a privacy impact assessment?

A privacy impact assessment is an analytical tool you use when you are about to start a new project or implement a change in an existing system within your business. It identifies the impact the proposal may have on the privacy of your customers and employees.

Do I need to do a privacy impact assessment?

You do not need to do a privacy impact assessment for every new project. However, it is a good idea to do one when your project is likely to deal with personal information. The law implies certain standards for handling this information, and a PIA can help you meet those standards.

What are privacy risks?

Privacy risks are risks that any proposed project or change will not align with how customers (or the law) expect you to handle their personal information. Such risks may include inaccurate or insecure information.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

About Emma Lindblom
(Read all articles by Emma)
Emma is a Legal Content Writer, based in New Zealand. She is experienced at writing for online publications and wants to use these writing skills to make legal information transparent and accessible for anyone. Emma recently graduated in New Zealand with a double degree in Law and Politics, with a minor in Psychology.
Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Read other articles by Emma
Tags
Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation – Finalist – Australasian Law Awards 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice – Winner – Australasian Lawyer 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards