Making Privacy Impact Assessment More Effective
David Wright
PERSPECTIVE
Europe’s proposed Data Protection Regulation is expected to make data protection impact assessment (DPIA) mandatory, a development that could impact hundreds of thousands of organisations (both governmental and private sector) in Europe as well as non-European entities offering their wares and services there. This paper reviews the DPIA provisions outlined in the new Regulation. For the nuts and bolts of a privacy impact assessment (PIA) methodology, Europe could select features from the PIA methodologies used in Australia, Canada, Ireland, New Zealand, the UK and US, the countries with the most experience in PIA. An EC-funded project, called PIAF, reviewed these various methodologies and proposed an “optimised” PIA for Europe (and elsewhere) based on the best practices of the aforementioned countries. Based on these best practices, this paper outlines a 16-step PIA process. It argues that, while some organisations may regard a PIA as a hassle, in fact, a PIA offers many benefits, as spotlighted in the paper.