What Is a Privacy Impact Assessment?

Customers care about how businesses handle their privacy concerns and appreciate those that do so with proper diligence. Not only do you need to do so to maintain customer satisfaction, but the law also implies certain privacy standards for dealing with sensitive information. Since these privacy obligations are ongoing, it is up to you to ensure that your business meets them. One way to do so is to conduct a privacy impact assessment (PIA) for analysing new projects or existing systems. This tool goes through the potential privacy risks of a project and evaluates the project’s privacy impacts. This article will explain what a privacy impact assessment is and the actions involved in the process.
What Is a Privacy Impact Assessment?
A privacy impact assessment is an evaluation/report tool that you can complete if you start a new project at your business or change an existing system. Its purpose is to analyse the impact a project may have when you are handling personal information. Personal information is any data that can identify an individual, such as names or credit card details. Therefore, when you handle such information you need to do so in a way that:
- complies with the law;
- is secure;
- is transparent; and
- protects customer privacy.
What Can a Privacy Impact Assessment Achieve?
A privacy impact assessment can help to achieve the goals mentioned above. In order to meet legal requirements, your privacy impact assessment should:
- identify potential privacy risks attached to personal information;
- examine both positive and negative privacy impacts of the project;
- check for compliance with the Privacy Act and its principles;
- decide how you can adjust project parameters to meet your privacy obligations; and
- exist as an adaptable reference point throughout your project or system change.
Your privacy impact assessment needs to identify how your project will impact your customers’ privacy while still meeting its objectives. It should be an independent evaluation of your project or change in system.
For example, say that you are developing an app that uses customers’ locations to find vegan restaurants in the area. A PIA would identify the risks involved with collecting such location data and what you can do to reduce those risks.
What a Privacy Impact Assessment Involves
The complexity of your privacy impact assessment will correspond to that of your project. Your Privacy Officer does not have to take part, but it can be beneficial for someone on the team to be familiar with privacy issues. If needed, the Privacy Commission can provide advice and resources.
The exact steps for your PIA process will vary according to the nature of your proposal. However, according to the Privacy Commission, the following structure is recommended.
Gather Information and Map Out Usage | You need to identify all of the information you need to complete a PIA and its sources. Plan out its lifecycle across your business, from collection to disposal. Find out whose privacy the proposal affects, and how. Decide how long you will need the information for and who you need to inform of its collection. |
Check Privacy Principles | Compare your proposed project with the privacy principles in the Privacy Act. Go through each one, and determine which ones are particularly relevant for your proposal. How are you meeting your privacy obligations? Are your proposed tasks consistent with the standard that the law gives? For example, one of the privacy principles focuses on the accuracy of personal information. Consider how this standard works with your project and how you will make sure the information you collect is accurate. |
Identify Privacy Risks and Mitigate | Next, you need to identify potential privacy risks associated with the personal information you will use in your proposal. Potential risks include dealing with information that is:
Your PIA should lay out ways you can mitigate these risks and establish security controls. |
Produce a Report | Summarise the above in an organised report, and also be sure to map out points in the future where you come back and evaluate. |
Take Action & Review | Go through with your project while implementing the controls you developed in your PIA for protecting privacy. Review and adapt your PIA as the project develops and new information comes to light. |
Key Takeaways
A privacy impact assessment is an evaluation process you can use to identify how a new project or system change will affect the privacy of your customers and others. If you deal with sensitive personal information, a PIA is an excellent way to ensure that you meet your privacy obligations and fulfil customer expectations. If you would like more information or help with your privacy impact assessment, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.
Frequently Asked Questions
A privacy impact assessment is an analytical tool you use when you are about to start a new project or implement a change in an existing system within your business. It identifies the impact the proposal may have on the privacy of your customers and employees.
You do not need to do a privacy impact assessment for every new project. However, it is a good idea to do one when your project is likely to deal with personal information. The law implies certain standards for handling this information, and a PIA can help you meet those standards.
Privacy risks are risks that any proposed project or change will not align with how customers (or the law) expect you to handle their personal information. Such risks may include inaccurate or insecure information.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.
About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.
By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.
If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.