Making Privacy Impact Assessment More Effective

Europe’s proposed Data Protection Regulation is expected to make data protection impact assessment (DPIA) mandatory, a development that could impact hundreds of thousands of organizations (both governmental and private sector) in Europe, as well as non-European entities offering their wares and services there. This article reviews the DPIA provisions outlined in the new regulation. For the nuts and bolts of a privacy impact assessment (PIA) methodology, Europe could select features from the PIA methodologies used in Australia, Canada, Ireland, New Zealand, the United Kingdom, and the United States, the countries with the most experience in PIA. A European Commission (EC)-funded project, called PIAF, reviewed these various methodologies and proposed an “optimized” PIA for Europe (and elsewhere) based on the best practices of the aforementioned countries. Based on these best practices, this article outlines a 16-step PIA process. It argues that while some organizations may regard a PIA as a hassle, in fact, a PIA offers many benefits, as spotlighted in the article.