Approaching a Privacy Impact Assessment for GDPR

An essential element of GDPR is to preempt risk to the security of personal data, describe how you will identify those risks and demonstrate what you will do if the worst happens.

When should you conduct a Privacy Impact Assessment?


Choosing to begin a Privacy Impact Assessment (PIA) is normally triggered by the planning of a new project. This is because it can give you the opportunity to analyse how the new project is likely to affect your customer’s, client’s or staff’s privacy. According to the Information Commissioner‘s Office:

‘Conducting a PIA does not have to be complex or time consuming but there must be a level of rigour in proportion to the privacy risks arising.’

 Consider conducting a PIA if you are planning any of the following projects in your organisation

New CCTV or other surveillance

If you’re planning on installing a new or upgrading an existing surveillance system that monitors the public.

Personal data sharing initiative

Sharing personal data between two or more organisations to make one database.

Installing a new IT or database system

Installation of a new IT system or database that stores and consolidates data held in separate parts of an organisation.

Reusing data for something new

Planning to use your existing bank of personal data for a different purpose.

Proposing to identify a particular demographic

Purposefully gathering data on a group of people with the intent to initiate a particular course of action.


New data policies or strategies

Relating to the way you use and collect personal information.

What is involved in the Privacy Impact Assessment process?


So you have established that you need to conduct a PIA, but where do you start? Before you do anything, it’s important to ensure that the PIA is a flexible process that is easily integrated into your organisation’s way of working and planning. You should also begin the PIA in plenty of time. The ICO recommends that you consider the following areas:


  • Identify the need for a PIA
  • Describe the information flows
  • Identify the privacy and related risks
  • Identify and evaluate the privacy solutions
  • Sign off and record the PIA outcomes
  • Integrate the outcomes into the project plan
  • Consult with internal and external stakeholders as needed throughout the process

Internal and external consultations


Consulting relevant parties throughout the PIA process helps you to stay on the right track. Internal consultations can ensure that stakeholders and staff are as committed to data protection as you are.

When compiling a list of your internal stakeholders, consider those who are likely to be involved int he projects, like engineers and developers, buyers and marketers. You should also include your Data Protection Officer (DPO) if you have one, and the project management team.

When consulting external parties, consider those who are going to be affected by the project.

The Privacy Impact Assessment project area

Want to see the software in action?

We have pre-built Privacy Impact Assessment projects inside our secure cloud software

Want to learn more about GDPR?

We have written an overview on handling Subject Access Requests for GDPR

ISMS Online Rating: 5 out of 5
Share This