Chapter 4: Information Management and Privacy Risk Management

Privacy Impact Assessments (PIAs) and DPIAs

A PIA (akin to a DPIA) analyzes how PI is handled to ensure legal conformity, determine risks/effects, and evaluate protections. Its core is privacy risk assessment, weighing privacy impact against the likelihood of harm given controls.

Privacy risk management includes privacy risk assessment, privacy risk treatment (selecting controls), and controls implementation. A privacy impact assessment (PIA) - similar to a data protection impact assessment (DPIA) - typically combines risk assessment and treatment, though some regulatory schemes limit a PIA to assessment only.

Ensure handling conforms to applicable legal, regulatory, and policy requirements
Determine the risks and effects of collecting, maintaining, and disseminating PI in identifiable form
Examine and evaluate protections and alternative processes to mitigate privacy risks

Two variables of risk assessment

The core privacy risk assessment weighs privacy impact (harm to individuals and businesses) against the likelihood of harm given the controls in place.

Key terms - quick answers

What is “Privacy impact assessment (PIA)”?

An analysis of how PI is handled to ensure legal conformity, determine risks/effects, and evaluate protections to mitigate privacy risks.

What is “Data protection impact assessment (DPIA)”?

Assessment similar to a PIA, associated with the GDPR.

What is “Privacy risk assessment”?

Determining the level of privacy risk from two variables: privacy impact and the likelihood of harm given the controls.

← Privacy Risk Management and Privacy Harms Vendor and Third-Party Risk Assessments →