When being faced with the necessity of conducting a privacy impact assessment / data processing impact assessment (PIA/DPIA), the first considerations are usually devoted to the potentially substantial effort involved.

However, from an information security point of view, this might also be a golden opportunity for identifying threats and vulnerabilities to information systems that are critical for an organization. As a properly conducted PIA/DPIA also produces a solid documentation of where data is stored, how it is processed and how it flows through an organization, critical points in an organization can be identified and a subsequent thorough risk analysis can be initiated.

One of the prerequisites for harvesting these benefits is to base the PIA/DPIA on a solid and well-established method. Coming form a European perspective, GDPR-driven approaches, such as CNIL’s DPIA guides and tools are a very suitable choice. Looking at the problem from a more international perspective, the Australian Privacy Impact Assessment or a risk assessment based on CERT’S OCTAVE method are very promising starting points.

Some significant lessons learned from the PIA/DPIA carried out within the CS-AWARAE project are that whenever the processing personal data occurs in an organization, a PIA/DPIA usually becomes a legally prescribed necessity anyway; that it is a significant effort; but also that the concepts of privacy and security, when properly applied, can fully support each other.

For further information on conducting a PIA/DPIA, some of the following links might be very helpful:

CNIL (France) – Privacy Impact Assessment (PIA):


Office of the Information Commissioner (Australia) – PIA Guide:


CERT OCTAVE Risk Assessment:


Gerald Quirchmayr