Abstract
Europe's proposed Data Protection Regulation is expected to make data protection impact assessment (DPIA) mandatory, a development that could impact hundreds of thousands of organizations (both governmental and private sector) in Europe, as well as non-European entities offering their wares and services there. This article reviews the DPIA provisions outlined in the new regulation. For the nuts and bolts of a privacy impact assessment (PIA) methodology, Europe could select features from the PIA methodologies used in Australia, Canada, Ireland, New Zealand, the United Kingdom, and the United States, the countries with the most experience in PIA. A European Commission (EC)-funded project, called PIAF, reviewed these various methodologies and proposed an “optimized” PIA for Europe (and elsewhere) based on the best practices of the aforementioned countries. Based on these best practices, this article outlines a 16-step PIA process. It argues that while some organizations may regard a PIA as a hassle, in fact, a PIA offers many benefits, as spotlighted in the article.
Acknowledgments
© David Wright
Notes
1. More detailed information on these countries can be found in Wright et al. (Citation2011) and Wright and De Hert (Citation2012). Chapter 1 (“Introduction to Privacy Impact Assessment”) of Wright and De Hert (Citation2012) contains a systematic comparison of different PIA methodologies.
2. The Privacy Commissioner acknowledges (Office of the Victorian Privacy Commissioner Citation2009) that there may be circumstances where the full or part release of a PIA may not be appropriate. For example, the project may still be in its very early stages. There may also be security, commercial-in-confidence, or, for private-sector organizations, other competitive reasons for not making a PIA public in full or in part. However, transparency and accountability are key issues for good privacy practice and outcomes, so where there are difficulties making the full PIA available, the commissioner encourages organizations to consider the release of a summary version.
3. The streamlined version was expected to be made public in mid August 2013. However, it was not available at the time this article went to press. Hence, all references in this article are to the second edition of the ICO PIA Handbook.
4. E-government Act of 2002, Pub.L.107–347.
5. The PIAF consortium comprises Vrije Universiteit Brussel (Belgium), Trilateral Research & Consulting (UK), and Privacy International (UK). In addition to a review of PIA methodologies, the PIAF report includes an analysis of 10 PIA reports, two each from Australia, Canada, New Zealand, the United Kingdom, and the United States. To our knowledge, this is the first such review of actual PIA reports from these countries.
6. Both papers can be found here: http://www.piafproject.eu/Events.html (accessed June 22, 2013).