Privacy Impact Assessments 101

• Privacy impact assessments (PIA) help organizations identify, analyze, and mitigate the privacy risks associated with collecting and processing personal information.

• Formally introduced by the 2002 E-Government Act, federal agencies are required to conduct privacy impact assessments when implementing or updating services or technologies that process personal information.

• PIA have a lot of overlap with data protection impact assessments (DPIA), a provision of GDPR Article 35, but do differ slightly in terms of their background, goals, and requirements.

• What is the purpose of a privacy impact assessment?

• PIA vs DPIA

• When is a privacy impact assessment required?

• How to conduct a privacy impact assessment

• Benefits of privacy impact assessments

Privacy impact assessments (PIA) help organizations identify, analyze, and mitigate the privacy risks associated with personal information (PI) data collection, storage, and processing. At its core, the goal of a PIA is to:

• Make sure PI processing activities are not creating unnecessary or outsized risks for individuals, and

• Ensure compliance with relevant legislation

Both an analytical process and a document outlining that process and its outcomes, PIAs help program managers evaluate data processing risks and demonstrate they’ve made a conscious effort to address and mitigate those risks. 

A requirement of the 2002 E-Government Act, privacy impact assessments are a key way that organizations can show regulators and the public they're handling consumer data responsibly.

You'll often see the terms privacy impact assessment and data protection impact assessment (DPIA) used interchangeably. And, though the two concepts do have a lot of overlap, there are some notable differences. We'll cover those in the next section.

One question we often get is about the differences between privacy impact assessments (PIA) and data protection impact assessments (DPIA). Both share the same broad strokes—in that they're systematic tools for identifying and addressing privacy and data processing risk. 

Because of this overlap, you may see the terms PIA and DPIA used as synonyms. But with different backgrounds, goals, and requirements, it’s important that privacy professionals understand when and how to use a PIA vs a DPIA.

Here’s a few broad-stroke differences between the two.

• Stem from the US E-Government Act

• Used more frequently by Federal agencies, as they are under the purview of the E-Government Act

• Often used to identify privacy requirements for new projects and products

• Helps organizations determine if they have appropriate systems for identifying risk, as well as whether or not they're compliant with current privacy laws

• A byproduct of Article 35 of the General Data Protection Regulation (GDPR)

• Required for companies under GDPR who are engaged in "risky" data processing activities

• Required under several US state privacy laws (VCDPA, CPA, CPRA, CTDPA)

• Focused on identifying and minimizing risky data processing

• Helps organizations mitigate potential harms associated with risky data processing and bring their activities in-line with relevant legislation

GDPR Article 35 offers a few examples of risky data processing, including automated profiling, collecting biometric data, large scale processing of personal information, public surveillance, and facial recognition.

These subtle differences between PIA and DPIA should be taken into account when considering what’s appropriate for your business.

Privacy impact assessments are primarily a requirement for Federal agencies under the E-Government Act of 2002. Though they can provide benefits to other organizations, only Federal agencies are explicitly required to conduct them. 

In their Privacy Impact Assessment Guide, the US Securities and Exchange Commission outlines several scenarios in which agencies are required to conduct a privacy impact assessment.

1. Building or implementing a new technology that collects, stores, or processes personal information

2. Modifying an existing system e.g. converting paper records to an electronic system, merging databases, or providing public access to certain information

3. Inter-agency data sharing

4. Digitally collecting PI from 10 or more people

5. Changing existing rules or implementing new rules that affect the collection of PI. Even if the agency is allowed to collect PI, they must conduct a PIA to evaluate whether their collection activities are in line with relevant laws.

6. A system security control is categorized as “Moderate-Major” or “High-Major.” Even if these systems don’t collect or process PI, a Privacy Analysis Worksheet (PAW) must be completed to show that privacy was considered within these systems. 

The United States Office of Personnel Management takes a slight different approach, requiring that PIA’s be conducted when/if:

• A Privacy Threshold Analysis concludes a PIA is necessary

• Your office is building or implementing a technology system that collects, stores, or shares identifiable personal information

• When IT systems experience a significant change, or

• Every three years, for systems that haven’t been changed

Though there are certainly areas of overlap between these two agencies in terms of how they apply the E-Government Act, it’s important to note the differences in their threshold for when a PIA is necessary.

When considering whether your organization should conduct one, try to find a guide that outlines the specific requirements for your agency.

1. Determine if the project or larger context requires one

2. Create a framework for the PIA by identifying the project’s scope and objectives

3. Summarize the project, including details on how personal information will be collected, processed, and shared, how personal information will be protected, and who will have access

4. Identify and consult with all relevant stakeholders

5. Identify and document any privacy risks, including details on how they will be addressed and mitigated as the project progresses

6. Assess whether the project complies with relevant regulation and address any potential areas of non-compliance

7. Clearly document the entire process, to be used as reference in the event of an audit or alleged non-compliance

While conducting your PIA, be sure to consider your goals. Remember, a comprehensive privacy impact assessment should:

• Identify privacy risks in the  context of technology and systems that collect, share, and process PI

• Help your organization ensure compliance with relevant regulation

• Evaluate risk reduction strategies

• Support education and negotiation with internal stakeholders and external agencies

• Provide key information to the public about how an agency handles personal information, including steps being taken to safeguard sensitive data

• Offer insight into the assessment process and outcomes

Though conducting a privacy impact assessment might seem a little daunting, they do provide a few significant benefits.

When conducted before a project begins, as required by most organizations under the E-Government Act, a privacy impact assessment can help identify risk that could pose big problems down the road. 

Of course, there’s the ever-present question of regulatory compliance. But there’s other aspects of risk management that can impact a project. Privacy risks discovered once a project is well underway may slow down or even completely derail a project, depending on the severity of the risk. 

Ultimately, taking the time to identify and mitigate these risks ahead of time can save you future headaches. 

Not conducting a PIA when required is a clear violation of the E-Government Act. That said, even if you’ve done everything right, it’s possible your agency might come under scrutiny—whether it’s from a change in leadership, increased interest from the public, or some other force majeure. 

If this moment comes, having a comprehensive PIA in hand will go far in demonstrating your agency's compliance—helping you get off on the right foot with the regulator. 

As more stories hit the news about organizations who've mishandled personal information, either by accident or with intent, it’s important to be able to show that your agency is committed to privacy—and a PIA can help. 

In the 2023 IAPP Privacy and Consumer Trust Report, researchers found that 68% of consumers are either somewhat or very concerned about their online privacy. They also found that more than 60% of consumers will take defensive actions e.g. deleting an app if they feel their privacy is not protected.

In some cases, lack of a PIA could even result in loss of customers or partner relationships, damaging your reputation to the detriment of your bottom line. 

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

• US Department of Homeland Security - Privacy Impact Assessments

• Art. 35 GDPR Data protection impact assessment

• FPC - Privacy Impact Assessments

• United States Office of Personnel Management - Privacy Impact Assessments (PIA) Guide

• IAPP Privacy and Consumer Trust Report