Tips for implementing a PIA process

Privacy Impact Assessments (PIAs) are be a valuable tool in the Privacy Officer toolkit – identifying and dealing to privacy risk without stifling innovation or impeding progress.  But they can also be a bit of a Pain In (the) Ass, when it comes to introducing them as a new business process.  Even the most bright eyed Privacy Officer can hit a wall of rejection when they first try and implement a PIA process.

So what are some ways to make introducing a PIA process a positive experience for everyone involved? We’ve come up with some tips based on our experiences helping clients:

Make it relevant

When you want to introduce something new, that will require people to change how they currently do things and add to their existing workload, you have to really sell it.  Otherwise known as the ‘what’s in it for me’ approach, look at what benefits a PIA can bring to both the specific project and the organisation as a whole.

Of course there is the clear benefit of supporting compliance with the Privacy Act, but also consider the less tangible benefits such as demonstrating to your customers and clients that you understand the importance of privacy, growing your internal privacy awareness and maturity, and avoiding nasty surprises in the future when a privacy risk unexpectedly pops up and requires time and money to manage.  You can even consider including in your PIA process a focus on identifying privacy opportunities well as risks.

Make it fit

A common client request we get is for a PIA template that can be picked up and rolled out in their organisation.  Unfortunately in our experience there isn’t really a one size fits all PIA process that will work for everyone.  Every organisation will have different privacy risks, different risk appetites, different levels of privacy maturity, and different capacity to resource a PIA process.  All of these factors influence what the right PIA process will be for your organisation.

For some organisations a simple self-service checklist of ‘privacy things to consider’ will be enough to identify high risk activities that should be brought to the Privacy Officer’s attention.  For other organisations something more formalised and detailed will be more appropriate.

Make it effective

A PIA process needs to have some resourcing behind it – someone (ie the Privacy Officer) needs to have the time and capability to review and provide advice on what the business produces, otherwise it can turn into a lip service exercise.

It’s also crucial in our experience to have support from the top, both philosophically as a cheerleader and practically with allocated resourcing.  PIA processes work best in places with a good privacy culture, and this has to be led from the top.

Also think about what your threshold will be to trigger a PIA process, so you can make sure your organisation has the resourcing needed to review and provide advice in response. A PIA process that causes delays will not be popular – or effective.  Do you want the PIA process to be triggered by any change process involving personal information?  Or maybe just where more sensitive personal information is involved, or large volumes, or new technologies?

Make it easy

If in doubt, our advice is to err on the side of simplicity when first introducing a PIA process – its better to have a light touch, quick process that people will actually do than something that might dig deeper but which people actively try to avoid because it is perceived as too complex and time consuming.

If you can build a PIA process into an existing process (such as an information security assessment or a procurement  process) this can be even better in terms of getting it accepted as BAU.

Make it accountable

Lastly, where many PIA processes fall down is when it comes to accountability – who is responsible for implementing the Privacy Officer’s recommendations.  We recommend clarifying this right at the outset of the establishment of a PIA process – and for the record, our view is that responsibility for addressing any privacy risks identified lies squarely with the business, not the Privacy Officer.

PIA Workshop – If you want to explore these ideas more, we are running a Privacy Officer Update session on PIAs on  27 September – more info and registration here.