When being faced with the necessity of conducting a privacy impact assessment / data processing impact assessment (PIA/DPIA), the first considerations are usually devoted to the potentially substantial effort involved.
However, from an information security point of view, this might also be a golden opportunity for identifying threats and vulnerabilities to information systems that are critical for an organization. As a properly conducted PIA/DPIA also produces a solid documentation of where data is stored, how it is processed and how it flows through an organization, critical points in an organization can be identified and a subsequent thorough risk analysis can be initiated.
One of the prerequisites for harvesting these benefits is to base the PIA/DPIA on a solid and well-established method. Coming form a European perspective, GDPR-driven approaches, such as CNIL’s DPIA guides and tools are a very suitable choice. Looking at the problem from a more international perspective, the Australian Privacy Impact Assessment or a risk assessment based on CERT’S OCTAVE method are very promising starting points.
Some significant lessons learned from the PIA/DPIA carried out within the CS-AWARAE project are that whenever the processing personal data occurs in an organization, a PIA/DPIA usually becomes a legally prescribed necessity anyway; that it is a significant effort; but also that the concepts of privacy and security, when properly applied, can fully support each other.
For further information on conducting a PIA/DPIA, some of the following links might be very helpful:
CNIL (France) – Privacy Impact Assessment (PIA):
https://www.cnil.fr/en/privacy-impact-assessment-pia
Office of the Information Commissioner (Australia) – PIA Guide:
https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-undertaking-privacy-impact-assessments/
CERT OCTAVE Risk Assessment:
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=309051
Gerald Quirchmayr
