Privacy Impact Assessments – identifying and understanding privacy risks before you launch a new project

Related expertise
Special Counsel

A Privacy Impact Assessment (PIA) is a way for any organisation to identify and manage privacy risks arising from a new venture that collects, uses, and/or handles personal information.

An organisation which carries out a PIA before venturing into a new proposal, product, service, system, website, or business idea can identify privacy risks or vulnerabilities, take steps to mitigate them, and improve its systems for managing privacy protection.

This can help to ensure that the business or organisation’s obligations under the Privacy Act 2020 are being fulfilled and reduce the chances of a damaging privacy breach.  

What is a PIA?

“Privacy Impact Assessment” is a commonly used term, referring to any method of identifying the privacy implications of a venture that involves personal information.  

Some key considerations in a privacy impact assessment may include:

  • what effects will the venture / idea / proposal have on privacy;
  • will it comply with the requirements of the Privacy Act; and
  • what privacy risks may arise and how will those be managed or mitigated.

Who completes a PIA?

The considerations in a PIA will be unique to each business and organisation. To be effective, a PIA needs to be completed by those within the business who best understand the goals, processes, and potential effects of the project being assessed. This may involve drawing on expertise from various people within different parts of the organisation.

The outcome of the assessment will create specific and targeted actions points that can be integrated into the organisation in future to ensure they are consistent within existing risk-management frameworks. 

What does a PIA look like?

The Office of the Privacy Commissioner provides a toolkit to help organisations starting the PIA process, including an initial assessment about whether or not to do a PIA at all. This can be a useful starting point for your organisation to work from.

Ideally, however, a PIA will be tailored to your organisation’s style and way of working. Usually the detail and content of an effective PIA is aligned with the complexity and risks of the relevant proposal, product, service, system, website, or idea.  

Why and when to do a PIA

In practice, many organisations leave any consideration of privacy impacts until the end of the development process.  If privacy risks are only identified at that late stage, it can be too late to implement any meaningful change to manage or mitigate privacy risks. It also weakens the overall effectiveness of doing a PIA at all.  

Carrying out a PIA during the early stages of a project will ensure that privacy risks are identified at a time when the development and design can be modified to ensure privacy is protected – often called “privacy by design”. When privacy protection is built in at the design stage, it avoids expensive time-consuming hurdles later.

More than just ticking a box

People care about how organisations handle their personal information. Improving the ways you store, collect, and handle that information can create greater customer trust and satisfaction, and show customers/clients that your organisation does what it says it will.

Completing a PIA is more than just a box-ticking exercise – it’s a worthwhile process which should be completed as early as possible to ensure that your organisation is fully invested in protecting privacy when carrying out new ventures. 

Duncan Cotterill’s specialist data protection and privacy lawyers can assist your organisation to complete a PIA and help you to mitigate and manage potential risks identified by that assessment. 

For more information, please contact a member of our Data Protection and Privacy team.



Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.


Related insights

Find an expert