4. A detailed
assessment of
privacy risks
What? When?
Throughout
the project
Who?
Senior level
staff
Privacy impact assessments - a
risk based, proportionate
approach
5. The PIA process
1
• Identify need for a PIA
2
• Describe information flows
3
• Identify privacy risks – DPA compliance check
4
• Identify privacy solutions
5
• Record PIA outcomes, and sign-off
6
• Integrate PIA outcomes into project plan
Consultation
6. Initiation
• Identify the
need for a PIA
Definition
• Describe
information
flows
• Identify
privacy risks
• Identify
solutions
• Record PIA
outcomes
Development
• Integrating
outcomes into
project plan
• Monitor any
actions from
the PIA and
ensure they are
completed
Consultation
7. Implementation
• Integrating outcomes
into project plan
• Monitor any actions
from the PIA and
ensure they are
completed
Handover &
sign off
• Ensuring any
identified risks in
the PIA have been
signed off
Closure &
review
• Record what you
have learnt from
the PIA for future
projects.
Consultation
Continue to Review
8. Implement data protection by
design and default (Art 25).
• Pseudonymisation
• Transparency
• Data minimisation
9. Use data protection impact
assessments where
appropriate (Art 35).
Necessary where
• …the processing is likely to result
in a high risk to the rights and
freedoms of individuals,
especially where the processing
activity involves the use of new
technologies.
• where processing involves a high
level of profiling, or large scale
use of surveillance,
• Where processing involves large
scale processing of special
categories of PD, or data relating
to crime