Mastering PIAs & DPIAs

A complete handbook for privacy experts

2024
Table of Contents

Part 1: Understanding the requirements and terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 03

Part 2: Building the PIA and PTA questionnaires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Part 3: Embedding the PIA within the organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Reference: Glossary of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Reference: Risk assessment standards and methodologies . . . . . . . . . . . . . . . . . . . . . . . . 32

MASTERING PIAS & DPIAS | 2

WHITE PAPER

Part 1: Understanding Since then, the requirement to conduct a similar assessment

has become a common component under a growing number

the requirements and of privacy and data protection laws. For example, Article 55 of
the China Personal Information Protection Law (PIPL), which

terminology came into effect November 1, 2021, outlines requirements

for conducting Personal Information Protection Impact
Assessments. In the UAE, the Federal Decree-Law No. 45 of
What is a PIA and a DPIA? 2021 regarding the Protection of Personal Data, along with the
data protection laws and regulations of the Dubai International
A Privacy Impact Assessment (PIA) is an approach to
Finance Centre and Abu Dhabi Global Market special economic
evaluating and helping reduce privacy risks.
zones, all place an obligation on controllers to conduct DPIAs
It’s a crucial tool for identifying and mitigating privacy risks under certain circumstances. Amendments introduced through
within an organization. PIAs help ensure personal information Bill 64 (now Law 25), An Act to modernize legislative provisions
processing activities are evaluated and risks are managed as regards the protection of personal information in Quebec
efficiently. Often mandatory for privacy compliance, PIAs will also see new requirements to undertake privacy impact
are essential in safeguarding personal data and maintaining assessment.
regulatory adherence.
In the United States, this trend continues with the introduction
Privacy Impact Assessments can vary significantly in scope, of various state privacy laws. The California Privacy Rights
format, methodology, and language. Globally, companies Act (CPRA), Colorado Privacy Act (CPA), Connecticut Data
utilize PIAs to assess privacy impacts and potential risks of Privacy Act (CTDPA), Virginia Consumer Data Protection Act
projects or products at their inception, aiming to comply with (VCDPA), Texas Data Privacy and Security Act (TDPSA), and
legal obligations and enhance the quality of their offerings. other emerging state laws now require some form of risk or
data protection assessment. While the terminology may differ
A Data Protection Impact Assessment (DPIA) is a across jurisdictions, the core requirements remain consistent:
requirement under a growing number of privacy and data describing the activity, identifying and assessing risks,
protection laws when introducing new data processing implementing measures to address those risks, and managing
processes, systems, or technology. The European General any remaining risks to individuals' rights and freedoms.
Data Protection Regulation (GDPR), which took effect in
2018, addresses DPIAs in Article 35, which states: “Where
Common pitfall: Your PIA is not a DPIA.
a type of processing in particular using new technologies,
The terminology matters.
and considering the nature, scope, context and purposes
of the processing, is likely to result in a high risk to the rights
and freedoms of natural persons, the controller shall, prior Conceptually, PIAs and DPIAs can be assimilated under a

to the processing, carry out an assessment of the impact of common goal: an assessment conducted on a new product

the envisaged processing operations on the protection of or service to evaluate the privacy risks associated with

personal data.” the envisaged product or service and the underlying data
processing activity, to choose and apply appropriate mitigating
measures or controls to address the identified risks, where
necessary.

MASTERING PIAS & DPIAS | 3

WHITE PAPER

But there is a notable distinction between the two. Many The term DPIA, or equivalent as shown below, is typically
organizations who have an existing PIA process in place may explicitly defined and/or required under any applicable law or
be complacent and incorrectly be under the impression that regulation and will include specific elements that need to be
they already meet new DPIA obligations. This is a dangerous captured while conducting the DPIA.
misconception.

GDPR Colorado Privacy Act China PIPL

Personal Information Protection

Data Protection Impact Assessment Data Protection Assessment
Impact Assessment

Article 35 (1) - Where a type of processing

§6-1-1309 (3) - Data protection assessments
in particular using new technologies, and
must identify and weigh the benefits that
taking into account the nature, scope,
may flow, directly and indirectly, from the Article 55 - A personal information
context and purposes of the processing, is
processing to the controller, the consumer, processor shall assess in advance the
likely to result in a high risk to the rights and
other stakeholders, and the public against impact on personal information protection
freedoms of natural persons, the controller
the potential risks to the rights of the and keep a record of the course of the
shall, prior to the processing, carry out an
consumer associated with the processing, processing.
assessment of the impact of the envisaged
as mitigated by safeguards that the
processing operations on the protection of
controller can employ to reduce the risks.
personal data.

Article 35 (7) - The assessment shall contain

at least:

a systematic description of the envisaged Article 56 - The assessment of impact

processing operations and the purposes of on personal information protection shall
the processing, including, where applicable, include the following contents:
the legitimate interest pursued by the
controller; (1) whether the purposes and means of
personal information processing, are
an assessment of the necessity and legitimate, justified and necessary;
proportionality of the processing operations
in relation to the purposes; Colorado Privacy Act Rule 8.04 – At a (2) the impact on individuals' rights and
minimum, a data protection assessment interests, and security risks; and
an assessment of the risks to the rights and must describe each of the following:
freedoms of data subjects referred to in (3) whether the protection measures taken
paragraph 1; and are legitimate, effective, and compatible
with the degree of risks.
the measures envisaged to address
the risks, including safeguards, security The report of the impact assessment on
measures and mechanisms to ensure personal information protection and the
the protection of personal data and processing record shall be retained for at
to demonstrate compliance with this least three years.
Regulation taking into account the rights
and legitimate interests of data subjects and
other persons concerned.

MASTERING PIAS & DPIAS | 4

WHITE PAPER

Care should be taken to ensure that the difference between Because a DPIA must be conducted where there is a
a PIA and a DPIA, or equivalent, is well understood, and the “significant”, “high”, or “heightened” risk to the rights and
latter used only when the relevant DPIA triggers are met. freedoms of individuals and the results recorded in a specific
format, many organizations choose to implement a workflow
that contains an initial “Risk Analysis” or “Threshold”
questionnaire that is lightweight and can be performed
first to understand the overall risk and determine if a DPIA
is required. This threshold step, described in detail in this
handbook, is also beneficial to keep the overall process agile
and business friendly.

PIAs and Privacy by Design

A correctly implemented PIA can be a way to
operationalize Privacy by Design

Privacy by Design, developed by former Ontario Information

and Privacy Commissioner Ann Cavoukian, is an approach
where privacy becomes an organization’s default mode of
operation, integrated into every step of their development
processes. This concept has since been elaborated upon
by many supervisory and regulatory authorities, resulting
in new guidance on privacy engineering and Privacy by
Design strategies. For instance, the Spanish Agency for Data
Protection (AEPD) offers a comprehensive Guide to Privacy
by Design to help organizations implement these principles
effectively.

This means that privacy is embedded into the design and

development phases to make sure the proper choices are
available for people using the products, and the default
options are the most privacy preserving and least privacy
invasive.

Although Privacy by Design (PbD) was created

independently of the GDPR, Article 25 of the GDPR adopts
the concept of "data protection by design and by default,"
which heavily overlaps with PbD but does not expressly adopt
all its principles.

MASTERING PIAS & DPIAS | 5

WHITE PAPER

Article 25 states that “Taking into account the state of

the art, the cost of implementation and the nature, scope,
context and purposes of processing as well as the risks of
varying likelihood and severity for rights and freedoms of
01. High risk processing activities

natural persons posed by the processing, the controller

shall, both at the time of the determination of the means for
processing and at the time of the processing itself, implement 02. Analyze risk from view of data
subject
appropriate technical and organizational measures, such
as pseudonymization, which are designed to implement
data- protection principles, such as data minimization, in an
effective manner and to integrate the necessary safeguards
03. EU supervisory authorites lists

into the processing in order to meet the requirements of this

04.
Regulation and protect the rights of data subjects.”
Minimum DPIA inclusions
The PIA/DPIA is a critical operational and record keeping tool
to be able to demonstrate compliance with Article 25. The

05.
PIA must be operationalized and embedded into the product
lifecycle so that it is triggered during the design process of a
Seek views of the data subjects
product, and the PIA must include the proper set of questions
to help the product designers identify user-trust, and legal
and engineering issues to integrate all privacy by design
principles.
06. Demonstrate overall GDPA
accountability

The GDPR also requires an organization to keep records

of their processing activities to be able to demonstrate
compliance (Article 24) and accountability (Article 5), and the
07. Operationalize Privacy by
Design
PIA helps meet this obligation by storing the decision-making
history and records.
08. Supervisory authority
consultations
10 considerations: Is your DPIA
process compliant? 09. DPO should provide advice
This list paraphrases and summarizes some of the key
requirements across different laws and regulations that
impact the process, documentation, and records for a DPIA. 10. Re-assess your DPIA

MASTERING PIAS & DPIAS | 6

WHITE PAPER

1. A DPIA is required only when the processing Additional examples of processing that may result in high risk
activity is likely to result in a “substantial”, “high” or that would require a DPIA include:
“heightened” risk to individuals
• The sale of personal data
There is no definition of a “substantial”, “high”, or
• Using new technologies
“heightened” risk. Privacy and data protection laws and
regulations provide some examples of processing likely to • New kinds of data
result in risk: • Necessary consideration of the time elapsed since the
initial processing and/or assessment

GDPR Colorado Privacy Act China PIPL

GDPR Article 35 (3) Colorado privacy act §6-1-1309 (2) China PIPL Articles 55 – 56

(a) processing personal data for

purposes of targeted advertising or
for profiling if the profiling presents a (1) processing sensitive personal
(a) a systematic and extensive evaluation reasonably foreseeable risk of: information;
of personal aspects relating to natural
persons which is based on automated (i) unfair or deceptive treatment of, or (2) using personal information to conduct
processing, including profiling, and on unlawful disparate automated decision making;
which decisions are based that produce
Impact on, consumers; (3) entrusting personal information
legal effects concerning the natural
person or similarly significantly affect the processing to another party, providing
(ii) financial or physical injury to
natural person; personal information for another party, or
consumers;
publicizing personal information;
(b) processing on a large scale of (iii) a physical or other intrusion upon the
special categories of data referred to in (4) providing personal information for any
solitude or seclusion, or the private affairs
Article 9(1), or of personal data relating party outside the territory of the People's
or concerns, of consumers if the intrusion
to criminal convictions and offences Republic of China; or
would be offensive to a reasonable
referred to in Article 10; or person; or (5) conducting other personal
(c) a systematic monitoring of a publicly information processing activities
(IV) other substantial injury to consumers;
accessible area on a large scale. which may have significant impacts on
(b) selling personal data; and individuals.

(c) processing sensitive data.

MASTERING PIAS & DPIAS | 7

WHITE PAPER

Assessment of multiple processing activities

See: GDPR Article 35 (10) and Recital 93
A DPIA may concern a single data processing operation, but a
single DPIA could also be used to assess multiple processing
operations that are similar in terms of the risks presented,
2. Risk must be analyzed from the perspective of the
provided adequate consideration is given to the specific
individual, not the business, and include likelihood and
nature, scope, context, and purposes of the processing.
severity or impact

One of the main purposes of a DPIA is to identify and

consider risks from the perspective of individuals whose
Examples: personal data is being processed. These risks will include a
variety of risks to the rights and freedoms of individuals, both
A group of municipal authorities that are each
material and non-material.
setting up similar CCTV system could carry out
a single DPIA covering the processing by these
separate controllers, or a railway operator (single
controller) could cover video surveillance in all its Examples:
train stations with one DPIA.
Where individuals are deprived of rights and
See: GDPR Recital 92; Article 29 WP Guidelines on freedoms or prevented from exercising control
DPIA; Virginia CDPA §59.1-580 (D) over their personal data; where processing involves
sensitive personal data; where processing involves
the evaluation of aspects of an individual’s personal
Use of comparable DPIAs life, such as preferences, interests, or behaviors;
discrimination harms; unfair, unconscionable, or
It may be possible to use DPIAs conducted in the course deceptive treatment; financial injury or economic
of compliance with other laws or regulations, if there is harm; psychological harm, including anxiety,
reasonably comparable scope and effect embarrassment, fear, and other mental trauma

See: GDPR Recital 75; Colorado CPA Rules 8.04 (A)

See: Virginia CDPA §59.1-580 (E) (11)

Statutory exemptions
The reasonable expectations of individuals should be
DPIAs may not be necessary when a processing activity considered during the identification of risks, including the
is based on the necessity to comply with a legal obligation expectations arising from privacy notices.
(article 6(1)(c)) or performance of a task carried out in the
Not only should the DPIA identify the risk, but it should also
public interest or exercise of official authority (article 6(1)
assess the likelihood of the risk occurring, and the severity or
(e)), unless specifically required by the Member State law in
impact if it did.
question.

MASTERING PIAS & DPIAS | 8

WHITE PAPER

3. Supervisory and regulatory authorities continue to Description of the lawfulness of processing

issue lists of the type of processing operations which
A description of the lawfulness of the processing, including
would be subject to the requirements of a DPIA
how the processing complies with any relevant privacy or data
European data protection authorities have already published protection principles, such as adequacy, purpose limitation,
comprehensive lists of data processing activities that would minimization, etc.
trigger the need for a DPIA in each country, as have bodies in
Identification of risks to the rights and freedoms of
South America (see for example, Argentina), Asia Pacific (see
individuals
for example Japan) and the Middle East (see for example the
UAE ADGM). The identification and evaluation of the origin, nature,
particularity, and severity of risks, taking into consideration
4. The minimum details your DPIA should include
the nature, scope, context, and purpose of processing and
As explained above, the applicable law or regulation typically sources of risk.
specify the elements that need to be captured while
Description of measures or methods to mitigate risks, both
conducting the DPIA. There are six main components to a
existing and planned
DPIA, common across different frameworks.
Detailed information on the technical and organizational
Description of the processing activity
measures or methods envisaged to address the risks,
A systematic description of the envisaged processing including safeguards, security measures and mechanisms
operations, including but limited to: that might already be in place to ensure the protection of
personal data, and those that are intended to be implemented
• The types and amount of personal data being processed,
to addresses the risks. 10.
• The circumstances of the processing,
Determination of the residual risk
• How long the personal data will be retained,
A re-evaluation of the risks, considering the measures and
• How the personal data will be collected, stored, accessed,
methods envisaged, including the residual severity and
shared, and ultimately destroyed
whether the measures are sufficient to ensure the protection
Description of the purpose(s) of personal data.

A description of the purposes for which the personal data 5. Seek the views of affected individuals during the
are being processed, including details of the legal basis, such DPIA process
as the legitimate interest pursued by the controller, where
As explained above, one of the main purposes of a DPIA is to
applicable.
identify and consider risks from the perspective of individuals
whose personal data is being processed. It is recommended to
consult with, or seek the views of, affected individuals during the
DPIA process, in order to ensure their feedback is included and
documented. Depending on the context, views can be sought in
a variety of ways.

MASTERING PIAS & DPIAS | 9

WHITE PAPER

Where there is a requirement to undertake consultation, copies

of the DPIA should be sent to the relevant authority, who may
Examples:
request additional information and require corrective action as
A generic study related to the purpose and means part of their response.
of the processing operation; a question to the staff
representatives or usual survey sent to the data
controller’s future customers See: GDPR Article 36 (1); Abu Dhabi Global Market
('ADGM') Data Protection Regulations Section 34(7);
See: GDPR Article 35 (9); Colorado CPA Rules 8.03
Dubai International Financial Centre Data Protection
Law Article 21(1)

In situations where it is determined that is not appropriate to

seek the views of affected individuals (for example, if doing so 7. Roles and responsibilities of the Data Protection
would compromise the confidentiality of a company’s business Officer
plans, or would be disproportionate or impracticable), the
The obligation to appoint a Data Protection Officer, or
justification for not doing so should be documented.
comparable position with similar responsibilities, is no longer
6. Prior consultations with the supervisory or regulatory unique to the GDPR. Many other laws and regulations now
authority required when risk cannot be mitigated require that DPOs be involved in, and consult on, DPIAs as part
of their tasks.
One potential outcome of the DPIA process is that the risk(s)
cannot be reduced to an acceptable level, or the methods or
measures envisaged are insufficient to ensure the protection
of personal data. In this situation, there may be a requirement to See: GDPR Article 35 (2); Abu Dhabi Global Market

consult with a relevant Supervisory or Regulatory Authority. ('ADGM') Data Protection Regulations Section 37(1)

8. Re-assess your DPIA

Examples:
DPIAs should be reviewed on a regular basis, and updated
Where individuals may encounter significant, or periodically, whenever there is a change to either the
even irreversible, consequences, which they cannot processing activity, or the risk presented by the processing
overcome (e.g., an illegitimate access to data leading activity.
to a threat on the life of the data subjects, a layoff, a
financial jeopardy); when it seems obvious that the risks Additional GDPR guidance issued by EU regulators
will occur (e.g., by not being able to reduce the number
Guidance, as a general matter, is not law and therefore not
of people accessing the data because of its sharing,
binding – only actual laws and regulations are however, with
use or distribution modes, or when a well- known
regard to data protection in Europe, guidelines issued by
vulnerability is not patched)
the Article 29 Working Party and the different Supervisory
Authorities are extremely influential and carry a lot of weight.

MASTERING PIAS & DPIAS | 10

WHITE PAPER

It is therefore almost essential to keep track of them and take original version, but some of the noticeable changes include
them into account to the extent possible. Most of the time, the emphasis made on the importance of the risk-based
they are also very useful in helping understand the different approach to data protection, a few modifications to the list of
requirements from the GDPR, which can be unclear. criteria provided to help determine when a processing activity
is likely to result in a high risk, and a few additional practical
Article 29 Working Party guidance
examples to illustrate how to use those criteria in particular
The Articles 29 Working Party adopted on April 4, 2017 situations. The GDPR provides data controllers with flexibility
guidelines on Data Protection Impact Assessments (DPIAs) to determine the precise structure and form of the DPIA,
and determining whether processing is “likely to result in a but the DPIA must be a genuine assessment of risk, allowing
high risk” for the purposes of the GDPR. The guidelines were controllers to take measures to address them. It is designed
submitted for public consultation until May 23, 2017, and the to describe the processing activity, assess its necessity and
revised draft was adopted and published on October 4, 2017. proportionality, and to help manage any resulting risks to the
Overall, the revised guidelines do not differ much from the rights and freedoms of individuals.

The following figure illustrates the basic principles related to the DPIA in the GDPR:

Advice of the DPO

Likely to result in Seek the Views of the
(art. 35(2)) Code(s) of Conduct
high risks? Data Subjects
Monitor Performance (art. 35(8))
[art. 35(1), (3) & (4)) (art. 35(9))
(art. 39(1) (ç))

No Yes
Exception?
(art. 35(5) and (10))
DPIA
[art. 35(7)]
No DPIA Needed
Yes No

Processing Reviewed Residual high risks?

by Controller [art. (art. 36(1))
35(11)] Yes

No Yes

No Prior Prior
Figure extracted from the WP29 Guidance
Consultation Consultation

MASTERING PIAS & DPIAS | 11

WHITE PAPER

The guidance also includes nine criteria to determine whether • Evaluation or scoring
a DPIA should be conducted. A DPIA rule of thumb, so to
• Automated decision making with legal or similar significant
speak. A processing operation meeting fewer than two of the effect
following criteria may not require a DPIA due to a lower level
of risk. In most cases, processing operations which meet two • Systematic monitoring

or more of these criteria will require a DPIA. The more criteria • Sensitive data or data of a highly personal nature
are met by the processing, the more likely it is to present a
• Data processed on a large scale
high risk to the rights and freedoms of data subjects, and
therefore to require a DPIA, regardless of the measures which • Matching or combining datasets
the controller envisages to adopt.
• Data concerning vulnerable data subjects
In some cases, a processing activity meeting only one of
• Innovative use or applying new technological or
these criteria will require a DPIA. Conversely, if the controller organizational solutions
believes that even though the processing meets at least two
• When the processing itself prevents data subjects from
criteria, it is considered not to be “likely high risk,” then the
exercising a right or using a service or a contract
controller has to thoroughly document the reasons for not
carrying out the DPIA and include/record the views of the
data protection officer.

MASTERING PIAS & DPIAS | 12

WHITE PAPER

The guidance offers a few practical examples and the criteria to consider for each:

DPIA likely to
Examples of processing Possible relevant criteria
be required?

• Sensitive data or data of a highly personal nature

A hospital processing its patients’ genetic and health
• Data concerning vulnerable data subjects Yes
data (hospital information system).
• Data processed on a large-scale

The use of a camera system to monitor driving behavior

• Systematic monitoring
on highways. The controller envisages to use an
Yes
intelligent video analysis system to single out cars and • Innovative use or applying technological or
organizational solutions
automatically recognize license plates.

A company systematically monitoring its employees’ • Systematic monitoring

activities, including the monitoring of the employees’ Yes
workstations, Internet activity, etc. • Data concerning vulnerable data subjects

• Evaluation or scoring

The gathering of public social media data for generating • Data processed on a large scale
Yes
profiles. • Matching or combining of datasets

• Sensitive data or data of a highly personal nature

• Evaluation or scoring

• Automated decision making with legal or similar

An institution creating a national level credit rating or significant effect
Yes
fraud database. • Prevents data subject from exercising a right or using
a service or a contract

• Sensitive data or data of a highly personal nature

• Sensitive data
Storage for archiving purpose of pseudonymized
personal sensitive data concerning vulnerable data • Data concerning vulnerable data subjects Yes
subjects of research projects or clinical trials. • Prevents data subjects from exercising a right or using
a service or a contract

A processing of “personal data from patients or clients by • Sensitive data or data of a highly personal nature
an individual physician, other health care professional or No
lawyer” (Recital 91). • Data concerning vulnerable data subjects

An online magazine using a mailing list to send a generic

• Data processed on a large scale No
daily digest to its subscribers.

An e-commerce website displaying adverts for vintage

car parts involving limited profiling based on items • Evaluation or scoring No
viewed or purchased on its own website.

MASTERING PIAS & DPIAS | 13

WHITE PAPER

There are different methodologies available to conduct a Iceland Romania

DPIA, but the guidance sets out common criteria including:
DPIA Blacklist DPIA Blacklist
(1) a description of the envisaged processing operations
and the purposes of the processing; (2) an assessment of Ireland Serbia
the necessity and proportionality of the processing; (3) an
DPIA Blacklist DPIA Blacklist
assessment of the risks to the rights and freedoms of data
subjects; (4) the measures envisaged to address the risks; Italy Slovakia
and demonstrate compliance with the GDPR.
DPIA Blacklist DPIA Blacklist
National supervisory authority guidance
Latvia Slovenia
Article 35(4) of the GDPR obligates supervisory authorities
(“SAs”) to establish a list of the processing operations DPIA Blacklist DPIA Blacklist
that require a DPIA and transmit it to the European Data
Liechtenstein Spain
Protection Board (the “EDPB”). It should be noted that
the lists are non-exhaustive and are subject to review and DPIA Blacklist DPIA Blacklist
potential modification in the future.
Lithuania DPIA Whitelist

Austria Denmark DPIA Blacklist Sweden

DPIA Blacklist DPIA Blacklist Luxembourg DPIA Blacklist

DPIA Whitelist Estonia DPIA Blacklist UK

Belgium DPIA Blacklist Malta DPIA Blacklist

DPIA Blacklist Finland DPIA Blacklist

Bulgaria DPIA Blacklist Netherlands

DPIA Blacklist France DPIA Blacklist

Croatia DPIA Blacklist Norway

DPIA Blacklist DPIA Whitelist DPIA Blacklist

Cyprus Germany Poland

DPIA Blacklist DPIA Blacklist DPIA Blacklist

Czech Republic Hungary Portugal

DPIA Blacklist DPIA Blacklist DPIA Blacklist

DPIA Whitelist

MASTERING PIAS & DPIAS | 14

WHITE PAPER

In addition, some regional supervisory authorities in Germany 2. Risk mitigation: These assessments enable organizations to
have published guidelines relevant to DPIAs, for instance: implement measures that mitigate identified risks, ensuring
that AI systems are designed and operated in a manner
• The Lower Saxony data protection authority ('LfD
that protects individual rights and freedoms. Mitigation
Niedersachsen') issued guidance (only available in German
here); strategies may include data minimization, anonymization,
and robust security measures.
• The Bremen data protection authority ('the Bremen
Commissioner') issued a list of processing operations 3. Transparency and accountability: Conducting DPIAs
subject to DPIAs (only available in German here); and enhances transparency and accountability in the use of AI

• The Data Protection Authority of Bavaria for the Private technologies, as organizations must document their data
Sector ('BayLDA') issued guidance (only available in processing activities and risk management strategies. This
German here). documentation is essential for demonstrating compliance
to regulatory authorities and building trust with users.

DPIAs in the context of the EU AI Adhering to the requirements of the AI Act through DPIAs

Act ensures legal compliance and fosters trust among users and
stakeholders by demonstrating a commitment to responsible
The EU Artificial Intelligence Act (EU AI Act) establishes a AI development and deployment. Regular updates and
comprehensive legal framework for AI systems, addressing reviews of these assessments will be necessary as AI
issues related to data protection, transparency, and technologies and their applications evolve.
accountability. As part of this regulation, organizations
Examples of AI applications requiring DPIAs:
deploying AI technologies need to conduct thorough risk
assessments to ensure compliance with data protection • Healthcare: AI systems used for diagnostic purposes or
standards. patient data analysis.

Relevance of DPIAs • Finance: AI-driven credit scoring or fraud detection

systems.
DPIAs are crucial for implementing the EU AI Act. These
• Employment: AI tools used for recruitment, performance
assessments help organizations identify, evaluate, and
evaluation, or employee monitoring.
mitigate risks associated with AI systems, ensuring that the
deployment of such technologies adheres to legal and ethical • Public sector: AI applications in law enforcement,
standards. surveillance, or social services.

Key considerations: Practical steps for implementation:

1. Risk identification: DPIAs help identify potential privacy 1. Initial assessment: Conduct a preliminary analysis to

risks posed by AI systems, especially those involving the determine if a DPIA is required based on the scope and

processing of personal data. This includes risks related nature of the AI system.

to automated decision-making, profiling, and the use of 2. Data mapping: Identify all data sources, flows, and
sensitive data. processing activities associated with the AI system.

MASTERING PIAS & DPIAS | 15

WHITE PAPER

3. Risk analysis: Evaluate the potential impact on individuals’ Methodology

rights and freedoms, focusing on data protection and
A PIA rests on two pillars:
privacy risks.
1. Fundamental principles and rights, which are “non-
4. Mitigation measures: Develop and implement strategies to
negotiable”, established by law and which must be
address identified risks, including technical, organizational,
respected and cannot be subject to any variation,
and procedural safeguards.
regardless of the nature, severity, and likelihood of risks;
5. Documentation: Maintain detailed records of the
2. Management of data subjects’ privacy risks, which
assessment process, findings, and mitigation measures.
determines the appropriate technical and organizational
6. Review and update: Regularly review and update the controls to protect personal data.”
assessments to reflect changes in the AI system, data
Templates
processing activities, or regulatory requirements.
To implement those two pillars, the approach consists of 4
By integrating DPIAs into their AI governance frameworks,
steps:
organizations can proactively address privacy concerns and
uphold the principles of data protection, contributing to the 1. Context study: Define and describe the processing(s) of
creation of a safer and more trustworthy AI ecosystem. personal data under consideration, its (their) context and
stakes

Existing methodologies to 2. Controls study: Identify existing or planned controls (those

implement your DPIA to fulfill the legal requirements, and those to treat the
privacy risks);
France Commission Nationale de l'Informatique et des
Libertes (CNIL) – Privacy Impact Assessment (PIA) 3. Risks study: Assess the risks that are related to the security
Methodology, Tools, and Good Practices of data and that could have impacts on individuals’ privacy,
to check if risks have been treated adequately;
The CNIL offers three documents that expertly lay out
the PIA process and the necessary legal and operational 4. Validation: Decide whether to accept the way it is planned
requirements. to fulfill legal requirements and to treat risks, or to reiterate
the previous steps.
• Methodology

• Templates
Knowledge bases

This document is “a catalogue of good practices intended

• Knowledge Bases
to treat risks that the processing of personal data may pose
In addition, the CNIL now also offers open-source software to to the civil liberties and privacy of data subjects.” Risks
help carry out a DPIA. discovered in PIA must be matched up with proper controls
before a decision can be made to decide whether to move
forward. The catalogue helps to determine the measures
proportionate to the risks identified.

MASTERING PIAS & DPIAS | 16

WHITE PAPER

Germany - Standard Data Protection Model

The Standard Data Protection Model contains a set of data

security measures and creates a methodology to address the
EU General Data Protection Regulation. The goal is to provide
a procedure for a coordinated, transparent, consistent,
and plausible system to assess the processing of personal
data with regard to data protection. The primary value of
this model is the translation of the regulatory requirements
of the GDPR (especially of its Article 5) into technical and
organizational measures.

Singapore Personal Data Protection Commission

(PDPA) – Guide to Data Protection Impact
Assessments

The Guide to Data Protection Impact Assessments covers

the main phases of the DPIA lifecycle, including sample risk
assessment framework and sample DPIA questionnaire.

Spanish Data Protection Agency (AEPD) – Risk

Management and Impact Assessment in the Processing
of Personal Data

Risk Management and Impact Assessment in the Processing

of Personal Data provides a structured approach for
organizations to identify, assess, and mitigate privacy risks.

The AEPD also offers a series of online resources guide

controllers through the DPIA process and the necessary legal
and operational requirements:

• Evalua Riesgo

• Gestiona Riesgo

MASTERING PIAS & DPIAS | 17

WHITE PAPER

Non-EU: Requirements and UAE – ADGM 2020 and Data Protection

Regulations
specific guidance in other Data Protection Guide
USA - S.E.C
jurisdictions UAE – DIFC
Privacy Impact Assessment
Guide to Data Protection
Guide
Argentina China Law, DIFC Law No. 5 Of

Guía de Evaluación de Information security

Impacto en la Protección technology— Personal Relevant industry standards
de Datos information (PI) security
specification In addition to regulatory guidance, several industry standards
Australia for risk assessments exist that provide a framework for
Hong Kong conducting PIAs and DPIAs. A sample of these frameworks
10 steps to undertaking a
privacy impact assessment A Practical Guide is listed here, and additional detail around them is provided in

for IT Managers and the reference section of this document.

Guide to undertaking
Professionals on the • ISO 31000:2009 Risk management – Principles and
privacy impact
Personal Data (Privacy) guidelines
assessments
Ordinance
• ISO 27005: Security Risk Assessment
Privacy impact assessment
Privacy Impact
tool • ISO/IEC 27701:2019 Privacy Information Management
Assessments (PIAs)
• ISO/IEC 29100:2024 Information technology – Security
Canada (Federal)
Israel techniques
Privacy Impact
DPIA – Data Protection • European Network and Information Security Agency
Assessments (PIAs) (ENISA): Risk Management
Impact Assessments
Canada (Provincial) • Expression des Besoins et Identifications des Objectifs de
Japan
Sécurité (EBIOS)
Privacy Impact Assessment
Specific Personal
Requirements • European Data Protection Board (EDPB) Data Protection
Information Protection
by Design and by Default Key Elements
Privacy Impact Assessment Guidelines
• Operationally Critical Threat, Asset and Vulnerability
Assessments For The
New Zealand Evaluation (OCTAVE)
Private Sector
Privacy Impact Assessment • NIST SP 800-30 Guide for Conducting Risk Assessments
Planning for Success:
Toolkit
Privacy Impact Assessment • NIST SP 800-122 Guide to Protecting the Confidentiality of
Guide Singapore PII

• IEEE 7002:2022 – Data Privacy Process

Guide To Data Protection
Impact Assessments

MASTERING PIAS & DPIAS | 18

WHITE PAPER

Part 2: Building • A systematic description of the processing is provided

(GDPR Article 35(7)(a)):

the PIA and PTA ◦ Nature, scope, context, and purposes of the processing
are considered (GDPR recital 90);

questionnaires ◦ Personal data, recipients, and period for which the

personal data will be stored are recorded;

10 practical tips to create a PIA/ ◦ A functional description of the processing operation is

provided;
DPIA questionnaire
◦ The assets on which personal data rely (hardware,
1. Criteria for an acceptable DPIAs software, networks, people, paper, or paper
transmission channels) are identified;
The criteria proposed by the WP29 remains one of
the most comprehensive sets of requirements when ◦ Compliance with approved codes of conduct is taken
considering the criteria for an acceptable DPIA: into account (GDPR Article 35(8));

MASTERING PIAS & DPIAS | 19

WHITE PAPER

• Necessity and proportionality are assessed (GDPR • Risks to the rights and freedoms of data subjects are
Article 35(7)(b)): managed (GDPR Article 35(7)(c)):

◦ Measures envisaged to comply with the Regulation ◦ Origin, nature, particularity, and severity of the risks are
are determined (GDPR Article 35(7)(d) and recital 90), appreciated (GDPR cf. recital 84) or, more specifically,
taking into account: for each risk (illegitimate access, undesired
modification, and disappearance of data) from the
– Measures contributing to the proportionality and the perspective of the data subjects:
necessity of the processing on the basis of:
– Risks sources are taken into account (GDPR recital
- Specified, explicit and legitimate purpose(s) 90);
(GDPR Article 5(1)(b));
– Potential impacts to the rights and freedoms of data
- Lawfulness of processing (GDPR Article 6); subjects are identified in case of events including
illegitimate access, undesired modification, and
- Adequate, relevant, and limited to what is
disappearance of data;
necessary data (GDPR Article 5(1)(c));
– Threats that could lead to illegitimate access,
- Limited storage duration (GDPR Article 5(1)(e)); undesired modification and disappearance of data
are identified;
– Measures contributing to the rights of the data
subjects: – Likelihood and severity are estimated (GDPR recital
- Information provided to the data subject (GDPR 90);
Articles 12, 13 and 14);
◦ Measures envisaged to treat those risks are
- Right of access and to data portability (GDPR determined (GDPR Article 35(7)(d) and recital 90);
Articles 15 and 20);
• Interested parties are involved:
- Right to rectification and to erasure (GDPR
◦ The advice of the DPO is sought (GDPR Article 35(2));
Articles 16, 17 and 19);
◦ The views of data subjects or their representatives are
- Right to object and to restriction of processing
sought, where appropriate (GDPR Article 35(9)).
(GDPR Articles 18, 19 and 21);

- Relationships with processors (GDPR Article 28); On the next page is a summary checklist of items to have in
mind when designing your questionnaire, which can be used
- Safeguards surrounding international transfer(s) not only for compliance with the GDPR, but also as a baseline
(GDPR Chapter V);
to review with your legal counsel for compliance with other
- Prior consultation (GDPR Article 36). privacy laws and regulations.

MASTERING PIAS & DPIAS | 20

WHITE PAPER

Description and scope

When assessing whether a Data Protection Impact Assessment meets requirements, start with the requirements in Article
35(7) and then dig deeper with the additional citations listed below. Article 35(7) requires (in part) that the assessment shall
contain at least: “(a) a systematic description of the envisaged processing operations and the purposes of the processing,
including, where applicable, the legitimate interest pursued by the controller;” This maps to the requirements of other laws
and regulations where DPIAs are also mandatory.

Description of the new project or product, including the data • Art. 35(7)(a) & Rec. 90 (nature, scope, context of the
processing activity associated with it processing)

Purpose • GDPR Art. 6(1), 35(7)(b) & Rec.39, 40, 41

Benefit (expected benefits for the organization, data subjects,

• GDPR Art. 35(7)(b) Necessity and proportionality
society in general)

Personal Data and special categories of personal data (sensitive • GDPR Art. 4(1) "Personal data"
data) • GDPR Art. 9 (processing of special categories of data)

Harm that could result from the processing activity • GDPR Rec. 75

Volume of processing (number of data subjects concerned by the

• Helps in assessing the potential risks
processing activity)

Type of processing activity? • GDPR Article 35(3) (a, b, and c)

Processing

Again, returning to the requirements in Article 35(7) ensure that the DPIA contains “(b) an assessment of the necessity and
proportionality of the processing operations in relation to the purposes;”

Minimization • GDPR Art. 5(1)(c)

Accuracy • GDPR Art. 5(1)(d)

Retention • GDPR Art. 5(1)(e)

Basis for Processing • GDPR Art. 5(1)(a) Lawfulness of Processing, Art. 6

MASTERING PIAS & DPIAS | 21

WHITE PAPER

Individual rights the rights and legitimate interests of data subjects and other
persons concerned. Article 25 requires appropriate technical
Article 35(7) requires that the DPIA contains an assessment of
and organizational measures, acting as necessary safeguards
the risks to the rights and freedoms of data subjects referred to
to meet the requirements of this Regulation and protect the
in paragraph 1. This means that the DPIA considers the nature,
rights of data subjects
scope, context, and purposes of the processing that is likely to
result in a high risk to the rights and freedoms of individuals.
As part of the DPIA, it is essential to consider whether the
processing activity poses particular risks to an individual’s ability • CNIL PIA 1 Methodology & 2 tools
to exercise their rights and freedoms. Recording ◦ GDPR Rec. 84 Origin, nature,
of the risks, particularity and severity of the risks
According to the Article 29 Working Party guidelines, the controls, and
decision • GDPR Rec. 90 Risk sources and
reference to “the rights and freedoms” of data subjects measures envisaged to treat those
primarily concerns the rights to data protection and risks
privacy but may also involve other fundamental rights such
as freedom of speech, freedom of thought, freedom of
movement, prohibition of discrimination, and the right to
liberty, conscience, and religion. 2. Incorporate Article 30 processing records
requirements
Transfers
In addition to the GDPR components in item 1, many
Assessing a project for risk via a DPIA can also be a good time
organizations also choose to include the specific record
to assess whether cross border transfers are present and are
keeping requirements from Article 30 in the GDPR into their
being addressed correctly, since cross border data transfers
questionnaire as well.
are likely to increase the risk that may result from a particular
processing activity. There are only so many times that the Most organizations who have a GDPR based privacy program
privacy team can ask questions and collect information, so use Article 30 as the foundation of their data mapping
this is a good time to learn more. initiative.

The concept of data mapping and maintaining an inventory

of processing activities is a cornerstone of many compliance
Transfer programs, and it strongly recommended as a starting point
Mechanisms/ GDPR Art. 45 & Rec. 103-107 & 169
for compliance with other privacy laws and regulations.
Controls

By incorporating the same set of questions from the data

map into the initial PIA questionnaire, the PIA results can
Measures to address risk be fed back into the data map to keep it up to date and
evergreen.
Article 35(7) requires the measures envisaged to address
the risks, including safeguards, security measures and Automation tools, such as OneTrust, can automate this
mechanisms to ensure the protection of personal data and to evergreen process.
demonstrate compliance with the GDPR, taking into account

MASTERING PIAS & DPIAS | 22

WHITE PAPER

3. Organize the questions in an overall framework As explained above, due to the fact a DPIA must be
conducted where there is a “significant”, “high” or
Once these questions from the above have been compiled,
“heightened” risk to the rights and freedoms of individuals
it is important to add some structure and organization to the
and the results recorded in a specific format, many
questionnaire. Below are two example ways of structuring and
organizations choose to implement a workflow that contains
organizing the questionnaire.
an initial “Risk Analysis” or “Threshold” questionnaire that
is lightweight and can be performed first to understand the
overall risk and determine if a DPIA is required. For further
Example 1 details, see the Create an Integrated “Threshold” step below:

4. Re-word the questions in a business-friendly way

• Notice
• Choice, Consent & Legitimate Processing Much of the terminology familiar to legal or privacy
professionals may be foreign to business users. Be sure to re-
• External Transfers & Sharing
word and continue to test the questions to avoid frustration
• Access & Other Rights of the Employee
from the business.
• Security
• Integrity, quality & data migration
• Governance, Policy, and Training Example
• Sensitive & Special Categories
“What is the purpose for processing?”

Example 2 vs.

“What is the business reason for using this data?”

• System Information
• Contact Information 5. Embed definitions, descriptions, and tips in your
• Data Lifecycle questionnaire
• Data Attributes Collected
Ease-of-use is essential for getting accurate responses.
• Collection Mechanism When possible, include additional descriptions and tips that
• Consent and Notification Process can be revealed at the time the respondent is answering the
• Usage question. There is a good chance that a confused respondent

• Transfers will provide poor quality responses and the privacy team is
only as effective as the information they must work with.
• Disclosure to Other Parties
• Storage 6. Add conditional skip questions
• Destruction
PIAs and DPIAs are all about getting the right questions to
◦ Mapping to Principles (HIPAA, GDPR, etc.) the right people, and the fewest number of questions to those
people.

MASTERING PIAS & DPIAS | 23

WHITE PAPER

When designing your questionnaire, it is a best practice to Threshold assessments are the brief screen questions that
build in question skip logic or branching logic rules so that can be asked to determine whether risk is present, and more
questions that are not applicable to a specific project do not information is needed. Always remember that the PIA process
need to be presented to the business user. may be the only interaction that the privacy team has and
possibly will have with individuals within an organization and
7. Allow for flexible responses
it’s important to put your best foot forward. It’s important
Don’t force respondents to submit the wrong answer! that the privacy team gets what it needs and does not waste
Respondents may not have all the answers to your privacy anyone’s time.
questions and should be given the option to choose “Not
DPIA under the GDPR can be approached as a two-step
Sure” or “Other,” which allows them to fill in any additional
requirement by incorporating this threshold:
detail they can share. These options invite a conversation
with the privacy team that often reveals key details that would • Step 1: A privacy threshold assessment or simple privacy
have been left out. impact assessment which would aim to determine
whether a processing activity is likely to result in high risks
8. Incorporate a freeform text box to the rights and freedoms of data subjects

Structured responses are incredibly important. “Yes” or “No”, Companies should incorporate in their PIA the relevant
“A” or “B” are answers that can be connected to conditional elements necessary to assess the likelihood, severity or
logic and used to enhance automation. They also allow for impact of a “substantial”, “heightened”, or “high” risk occurring
comparative analyses. That said, in many cases, structured and ensure, in the event it decides not to conduct a DPIA, that
responses should not be the only response. the organization has sufficient evidence and documentation

In many cases, you will want to ask respondents to explain to demonstrate its choice not to conduct one.

their answer. This allows respondents to offer additional • Step 2: After the primary risk review and mitigation phase,
comments or provide explanations for complicated matters. if it appears that the type of processing activity is likely to
Offering both structured and unstructured answers to a result in a high risk to the rights and freedoms of the data
question allows the privacy team to get the best of both subjects, controller should then conduct a DPIA, which
worlds, great automation along with context and detail. should contemplate all the elements mentioned above.

9. Create an integrated “threshold” step 10. Do not ask “Do you collect personal data?”
It goes by many names: Gateway, Threshold, Pre-PIA, Privacy professionals talk about personal data all the time.
Screening, Risk Assessment, etc. Whether something is or is not personal data is incredibly

Regardless of what you call it, having a threshold step important and drives decisions within the privacy team.

is critical to keep your PIA process agile and usable in a Other individuals within the organization aren’t as focused on

business environment, and helps to prevent PIA fatigue within personal data and the word does not hold the same meaning

your organization. for them.

MASTERING PIAS & DPIAS | 24

WHITE PAPER

A customer study showed that when

people were asked “Do you collect
personal data?” 30% of people
respond “No.” Upon follow up, 90% of
those that answered “No” should have
answered “Yes.”

30%
90%

The good news is that it is not hard to get accurate

information about whether personal data is being collected.
Ask: “What data do you collect?” and provide multiple choice
selections (e.g., name, phone number, address, etc.) and
then other or none of the above. This shows individuals the
definition and it can also lead to interesting information being
submitted via the “other” field that the privacy team would not
have had a chance to know about and review.

Templates available as starting

points
OneTrust provides different types of PIA, DPIA, and Threshold
templates.

These templates include conditional logic rules, embedded

help and question descriptions and tips, and have been
created by privacy experts around the world.

Contact support@onetrust.com for access to these

templates.

MASTERING PIAS & DPIAS | 25

WHITE PAPER

Part 3: Embedding 2. Select the right tools to implement the PIA process

The workflows associated with a robust PIA or DPIA process

the PIA within the can become drastically simpler and more automated when
using the appropriate tool. Below are some types of tools
organization available:

10 practical tips to implement the Free tools

PIA
Microsoft Templates in Word or Excel
1. Design the right overall workflow
Templates can be created in Word or Excel as an easy way to get
There are many potential workflows that can be successful
started. Although not a suggested long-term approach, this can
in a PIA process. One of the most common workflows is as be a great way to finalize and prototype the questionnaires and
follows: wording.

Homegrown tools in SharePoint or Workflow Tools

Threshold
Business user or Some organizations choose to re-purpose existing tools for PIA /
questionnaire gets
privacy office initiates DPIA processes. It’s important to review your implementation of
distributed to the
a new project your homegrown solution with the checklists and best practices in
project owner
this document.

Resources issued by Supervisory and Regulatory

Authorities
Completed threshold DPIA distributed to
questionnaire gets the project owner,
Many Supervisory and Regulatory Authorities have issued
analyzed to determine completed and
templates that can be used to ensure a DPIA complies with
if a DPIA is required submitted back
applicable laws, including:

• Singapore: Guide to Data Protection Impact Assessments

• Australia: PIA Tool

• UK: DPIA Template

The Privacy Office Mitigation activities
records risk and are tracked and • New Zealand: Privacy Impact Assessment Toolkit
recommendations followed up on
• British Columbia: Privacy Impact Assessment Template

• Ontario: Planning for Success: Privacy Impact Assessment

Guide

MASTERING PIAS & DPIAS | 26

WHITE PAPER

Workflow: Automate the distribution and collaboration of the

Paid tools PIA process

OneTrust Privacy Automation Full Threshold: Automate the threshold step to not require
any admin intervention or review if low risk processing is
OneTrust makes the leading enterprise grade platform for detected
privacy programs, including PIA and DPIA activities. The solution
is available to be installed in your data center, or in a cloud Full PIA: Automate the entire process with a robust set of
environment managed by OneTrust. Learn more at OneTrust.com. rules engine that is monitored and audited regularly

Governance, Risk, Compliance (GRC) Tools

4. Identify the right project lifecycle triggers to integrate
with for Privacy by Design

Many organizations may have an existing GRC tool they use for Different business teams have different ways they project
other compliance activities. Due to the complex nature assessing manage their work. The key is to go one at a time to each
personally identifiable information in context to business use, business team, understand their project management cycle,
and the unique record keeping required to prove compliance –
and find the appropriate way to integrate into that function.
organizations typically choose to leverage a privacy management
Below are some examples:
solution such as OneTrust and integrate the solution into the GRC
tool rather than attempting to re-build and keep up to date all the • IT teams sometimes follow a ITIL project management
privacy tasks themselves in the GRC. process that includes various review toll gates and
security architecture reviews. These toll gates are a great
opportunity to insert your PIA process.

3. Decide the level of automation that makes sense for • R&D engineering teams sometimes follow a release
process or a SDLC (System Development Lifecycle)
you
process that also includes toll gates and checkpoints that
There is no privacy team that has a bigger team or more can be integrated with.

resources than they need. Manually administering PIAs is • Procurement is another opportunity to insert your PIA
time-consuming, and time is wasted filling out the PIAs and process if your organization has a central procurement
assessing them. Worse yet, lack of automation also means function.
lack of consistency in storage and follow up which can mean
• Finance approval – many privacy programs have found
a lack of accountability down the road when it turns out that success in “following the money”. If you can identify how
the risks that were revealed by the assessments were never projects are funded, you can insert yourself into the funding
addressed or were only partially addressed. The more you can process of that project.
automate this process, the more likely your respondents are
to participate and the most likely the privacy team will be able 5. Enable self-service access to the business
to carry out its work effectively by focusing on what matters. Once you have identified the right toll gate to insert your PIA

There are different levels of automation available, and not all process, you can mature the process further by removing the

levels are appropriate for all organizations: requirement for a privacy team member to manually send a
questionnaire to the business.

MASTERING PIAS & DPIAS | 27

WHITE PAPER

A self-service portal can be enabled where the business can For example:
access the privacy review information themselves.
• SharePoint – many business teams have their home base
as SharePoint, and your PIA process can be inserted as
6. Roadmap the technical integrations with existing tools
a link into a team’s existing SharePoint site rather than
Having to log-in to a separate portal or remember which being a separate portal to log into.
intranet site to go to conduct a privacy review creates room for • JIRA – many R&D engineering teams use a tool called
error and missed process. JIRA that is essentially a to-do list for developers.
Integrating into this tool to help developers track their
The most effective privacy programs go beyond administrative/
follow up remediation tasks and feature requests can
operational integrations into business processes and integrate be the most highly effective way to integrate PbD into
at a more technical level to make privacy a reflex of the activities engineering teams.
that business teams are already doing.
• OneTrust Risk and Compliance – Compliance
professionals need to understand their posture
and execution in accordance with legal and privacy
framework requirements. Teams can generate a plan of
action and track the fulfillment of PIAs and DPIAs on a
cyclical basis according to the legislation or framework.
In addition, risk and compliance teams can leverage the
output risk analysis to direct and prioritize efforts on high-
risk practices or areas of the business.

• Risk Assessment tools - some compliance teams already

produce questionnaires to business users, but often
execute in an ad hoc manor siloed across different
areas of focus using an existing GRC tool like OneTrust.
Integrating your PIA tool into the GRC tool can be an
effective way to consolidate these questionnaires.

• Service Now and other ITSM tools – Some IT teams

operate off service management tools like Service Now
or BMC Remedy. The PIA process can integrate into this
tool to create tickets and follow up tasks for the identified
stakeholders who use these tools, typically in IT.

OneTrust provides integration capabilities with these tools,

and many others as well, to simplify the integration tasks.

MASTERING PIAS & DPIAS | 28

WHITE PAPER

7. Integrate with the information security and/or vendor

assessment process

There are very few initiatives within an organization that only

affect one team/group. For example, when a new feature is
being released there is often a privacy and security assessment
that needs to take place. Make sure to gather information about
other assessments that are taking place around the company
and see where the privacy team might be able to work well
with others. Try using a threshold assessment that triggers
full privacy or security impact assessments. This will present
respondents with less work, and it will lead to a more effective
and integrated approach to managing risk. When it’s not clear
where integration could happen at an organization, the best
place to start is with a conversation with privacy champions
to find out what is really happening and where integration can
occur.

8. Align with “Agile” business processes

Agile or SCRUM is a project management methodology

common in R&D organizations and becoming more popular
with other business groups as well. Sometimes PIAs are at
odds with agile processes that preach operating in short 1 to
2 week “sprints” to complete works, avoiding over planning or
over engineering, and reducing the amount of documentation
required.

A few ways to integrate into an agile environment include:

• Implementing a lightweight threshold step that can be

completed as part of a sprint task

• Integrate directly with the Agile tool to track tasks, such as

in JIRA

• Have follow up items identified from the PIA integrated in

various sprints

• Use a tool such as OneTrust to reduce the documentation

effort required by the business team

• Make sure the PIA process and tool is mobile responsive so

individuals can complete PIA or Threshold on the go

MASTERING PIAS & DPIAS | 29

WHITE PAPER

9. Determine who will review the completed PIA 10. Generate valuable reports and metrics

Many organizations turn to a concept called “Privacy Reports and metrics are key to a successful program. Different
Champions” to help scale the processes of reviewing the PIA. stakeholders may require different views.
Privacy Champions are also called:
Accuracy tracking and change management reports
• Privacy Advisors
There are many reasons why someone would be uncertain
• Privacy Account Managers about their questionnaire responses. One reason might be
• Privacy Angels that the question is not clear. Analyzing answer changes on
a per question basis across multiple projects will give you
• Privacy Gurus
insight into the quality of your questions and lead to iterative
• Privacy Network improvements. Another reason for answer changes might be
respondent confusion because of the complexity of the project
The role and function of the privacy champions vary drastically.
or a misunderstanding about what is being asked. Respondent
Most commonly, these are business users who either are
confusion can lead to unhappy respondents and inaccurate
tapped or volunteer to become knowledgeable in privacy. The
information. Combat this by tracking any changes to their
Privacy Champions can be on point for helping their business
answers, which can identify reasoning for their hesitation.
teams complete the PIA, can be the first line of defense for
answering FAQs, and can also be inserted as reviewers of the
completed PIAs.

• Status reporting on PIAs to understand outliers and lingering tasks

Project managers
• Time breakdown reporting to understand where the most time-consuming parts of a PIA are to optimize

• View of outstanding risks and unmitigated items

Privacy compliance
• Team utilization reporting

• Simple compliance metrics

• Visual representations of data flow

Executive reporting
• Trends of risks

• Financial metrics on % of project budget spent on privacy reviews

• Reports for DPA consultations

Regulators • Privacy by Design reports

• Ability to demonstrate compliance for a project

MASTERING PIAS & DPIAS | 30

WHITE PAPER

Reference: Glossary of terms

Term Definitions
Data Protection Impact
A regulatory requirement under privacy laws and regulations to identify and mitigate privacy risks.
Assessment (DPIA)

Privacy Impact
An approach to analyze the privacy risks of a project to apply appropriate mitigating measures and controls.
Assessment (PIA)

European Regulation governing the protection of natural persons with regard to the processing of personal
General Data Protection
data and laying down rules relating to the free movement of personal data. The GDPR was passed in May
Regulation (GDPR)
2016 and will take effect as from 25 May 2018.

CPO Chief Privacy Officer

DPO Data Protection Officer

HIPAA US law passed to create national standards for electronic healthcare transactions

Inherent risk Risk that an activity would pose if no controls or other mitigating factors were in place; gross risk

Residual Risk Risk that remains after controls are considered

Threshold An assessment used to determine whether a full PIA should be conducted

DPA Data Protection Authority

The Article 29 Working Party was replaced by the European Data Protection Board (EDPB) when the GDPR
European Data took effect on May 25, 2018. The EDPB is composed of:
Protection Board (EDPB)
• The heads of the national data protection authorities (Supervisory Authorities) of the countries in the
(previously Article 29 European Economic Area
Working Party)
• The European Data Protection Supervisor (EDPS)

MASTERING PIAS & DPIAS | 31

WHITE PAPER

Reference: Risk European Network and Information Security Agency

(ENISA) – Risk Management

assessment standards The European Union Agency for Network and Information
Security (ENISA) is a center of expertise for cyber security
and methodologies in Europe. The Agency works closely together with Member
States and the private sector to deliver network and information
security advice and solutions. ENISA’s risk management
Risk management frameworks methodology is outlined in the first 38 pages of the 168-

ISO 27005: Security Risk Assessment page report, including an extensive inventory of other risk
management methods and tools.
The ISO 27005 standard is not focused on privacy risk,
but rather information security risks. Implementation of The ENISA risk management methodology works well as a

the standard involves the entire management system and way of implementing a PIA and it addresses integration of its

supports the design, implementation, maintenance, and risk management methodology with other processes in the

improvement of risk management processes. One area where organization. ENISA makes a distinction between existing and

this standard is useful within the PIA context is guidance on emerging risks. Existing risks using a standard risk management

risk management techniques and procedures. approach and emerging risk require additional intention and
process.
ISO 31000:2009 Risk Management – Principles and
guidelines
Risk analysis frameworks
The ISO 31000:2009 standard is not focused on privacy risk,
Expression des Besoins et Identifications des Objectifs
but rather risk in general. Implementation of the standard
de Sécurité (EBIOS)
involves the entire management system and supports the
design, implementation, maintenance, and improvement of EBIOS is a high-level method for risk management. Its method
risk management processes.17 One area where this standard mainly addresses information security, but it can be leveraged
is useful within the PIA context is risk treatment. to address other types of risk. EBIOS is mainly used in France,
where it is recommended for use in the government as well as
Retaining, avoiding, reducing, and sharing the risk(s) and
private companies working with the government. Compatibility
preparing and implementing risk treatment plans is an
with other information security management and risk
essential step in the PIA process and following a standard
management including ISO 27001, ISO 27005, ISO Guide 73,
for risk management, such as 31000:2009, assists with
and ISO 31000.
operational efficiency, governance, and organizational
confidence in the process. A revision of 31000 is underway EBIOS views risk as a combination of:
with the goal of continuing to simplify the approach.
• Threat Source

• Threat

• Vulnerability

• Impact

MASTERING PIAS & DPIAS | 32

WHITE PAPER

EBIOS is not a great risk analysis methodology for companies • Relevant threats to organizations or threats directed
looking to build a large multijurisdictional program, but through organizations against other organizations;
the method works well in France, and it also is an excellent • Vulnerabilities both internal and external to organizations;
reference for those that are looking for some additional
context and background on risk analysis. • Impact (i.e., harm) to organizations that may occur given the
potential for threats exploiting vulnerabilities; and
Operationally Critical Threat, Asset, and Vulnerability
• Likelihood that harm will occur.”
Evaluation (OCTAVE)
This standard is security focused, but the assessment of
In 1999, Carnegie Mellon University published OCTAVE via
risk can be helpful in a PIA context if a focus on privacy is
the Software Engineering Institute19. The OCTAVE method is
introduced when developing an organizational program.
not a full risk management method but rather a risk evaluation
Without that introduction of privacy focus, harms to
method. This can be a useful approach for companies looking
individuals whose personal data are processed will not be
for a point in time analysis. Because this is not a full “Plan-
addressed and this will not be an adequate approach.
Do-Check-Act” approach it is not a perfect fit for adopting in
conjunction with PIAs but is helpful in developing structure
around risk analysis. Privacy risk management
ISO 27005:2022: Security Risk Assessment frameworks
ISO 27005:2022 is a standard for information security risk ISO 27701: Privacy Information Management
management details, an ongoing process for examining the
The ISO 27701 standards build on the the Information
external and internal context, identification, and assessment
Security Management System (ISMS) defined in ISO/
of risks, and then recommending how to address those risks.
IEC 27001 and is designed to permit the addition of sector
20 ISO 27005:2022 is aligned with the risk management
specific requirements, without the need to develop a new
standard ISO 31000, which makes it easy to integrate
Management System. It is designed to be used by PII
Enterprise Risk Management with information security
controllers (including those that are joint PII controllers)
risk management. Additionally, ISO 27005:2022 uses the
and PII processors (including those using subcontracted PII
concepts in common with ISO 27001 and ISO 27002 which
processors and those processing PII as subcontractors to
provides an effective framework for information security
PII processors) and requires the creation of documentary
management. PIAs fit well into the ISO 27005:2022 process
evidence of the processing of PII.
where risk identification and the application of appropriate
controls are carried out. ISO/IEC 29100:2024 Information technology – Security
Techniques
NIST SP 800-30 Guide for Conducting Risk
Assessments The ISO/IEC 29100:2024 standard provides the principles
and guidelines for managing, systematically and
As the NIST SP 800-30 standard states in the introduction,
transparently, any form of risk. The standard consists of
“The purpose of risk assessments is to inform decision
five main chapters: scope, terms and definitions, principles,
makers and support risk responses by identifying:
framework, and process. As it states in the introduction to the
standard:

MASTERING PIAS & DPIAS | 33

WHITE PAPER

“The privacy framework is intended to help organizations While NIST 800-122 is US-centric – and therefore not a
define their privacy safeguarding requirements related to PII great fit when solely relied upon for meeting GDPR DPIA
within an ICT environment by: requirements – it is an excellent guide to protecting personal
data through the usage of PIAs.
1. Specifying a common privacy terminology;
EDPB Guidelines 4/2019 on Article 25 Data Protection
2. Defining the actors and their roles in processing PII;
by Design & By Default
3. Describing privacy safeguarding requirements; and
The EDPB Guidelines 4/2019 focus on the implementation
4. Referencing known privacy principles.” of Data Protection by Design and by Default (DPbDD) as
mandated by Article 25 of the GDPR. They provide guidance
This standard is a popular risk management methodology but
for controllers on how to incorporate data protection
because it is a generic risk management methodology, it does
principles into their processing activities from the outset.
not address all the issues that should be covered in a PIA.
Additionally, the guidelines are beneficial for processors
NIST SP 800-122, Guide to Protecting the and producers of products, services, and applications,
Confidentiality of PII helping them create GDPR-compliant solutions that
enable controllers to meet their data protection obligations
NIST 800-122 covers the process and requirements for effectively.
PIAs to adequately address confidentiality risks and
applying appropriate safeguards. Whether personal data is IEEE 7002-2022 - Data Privacy Process
processed is an important determination and the standard
The IEEE 7002-2022 standard defines the requirements for
suggests using a “privacy threshold analyses” (PTAs), also
integrating privacy considerations into systems and software
known as “initial privacy assessments” (IPAs) to make this
engineering processes. It focuses on managing privacy issues
determination. If the PTA concludes that personal data is
throughout the entire lifecycle of products, services, and
involved, it triggers a PIA. Another helpful aspect of this
systems that handle personal data. This standard provides a
standard is the descriptions of safeguard and controls.
comprehensive framework, including procedures, diagrams,
In section 4.2.2 topics that are commonly addressed by a PIA and checklists, to help organizations assess and mitigate
are outlined: privacy risks effectively, ensuring compliance with privacy
regulations and enhancing the protection of personal data.
• What information is to be collected

• Why the information is being collected

• The intended use of the information

• With whom the information will be shared

• How the information will be secured

• What choices the agency made regarding an IT system or

collection of information as a result of performing the PIA.

MASTERING PIAS & DPIAS | 34

OneTrust unlocks the full potential of data and AI, securely and responsibly. Our platform enforces the secure handling of company data,
empowering organizations to drive innovation responsibly while mitigating risks. With a comprehensive suite of solutions spanning data
and AI security, privacy, governance, risk, ethics, and compliance, OneTrust enables seamless collaboration between data teams and risk
teams to enable rapid and trusted innovation. Recognized as the market leader in trust, OneTrust boasts over 300 patents and serves more
than 14,000 customers globally, ranging from industry giants to small businesses. For more information, visit www.onetrust.com