Abstract
The importance of Privacy Ιmpact Αssessment (PIA) has been emphasized by privacy researchers and its conduction is provisioned in legal frameworks, such as the European Union’s General Data Protection Regulation. However, it is still a complicated and bewildering task for organizations processing personal data, as available methods and guidelines fail to provide adequate guidance confusing organisations and PIA practitioners. This paper analyzes the interplay among PIA stakeholders and proposes an organizational scheme for successful PIA projects.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Article 36 of EU GDPR does not mention sign-off but requires prior consultation with the supervisory authority prior to processing “where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk”. The report is one of the elements to be provided to the supervisory authority during the consultation.
References
Pavlou, P.: State of the information privacy literature: where are we now and where should we go. MIS Q. 35(4), 977–988 (2011)
Schwaig, K.S., Kane, G.C., Storey, V.C.: Compliance to the fair information practices: how are the Fortune 500 handling online privacy disclosures? Inf. Manag. 43(7), 805–820 (2006)
Spiekermann, S., Novotny, A.: A vision for global privacy bridges: technical and legal measures for international data markets. Comput. Law Secur. Rev. 31(2), 181–200 (2015)
Moores, T., Dhillon, G.: Do privacy seals in e-commerce really work? Commun. ACM - Mob. Comput. Oppor. Chall. 46(12), 265–271 (2003)
BBC: Facebook scandal ‘hit 87 million users’, 04 April 2018. http://www.bbc.com/news/technology-43649018. Accessed 20 May 2018
European Commission: Flash Eurobarometer: data protection in the European Union: citizens perceptions. Analytical report (2008)
European Commission: Special Eurobarometer 431: data protection. Report (2015)
European Commission: Special Eurobarometer 443: e-privacy. Report (2016)
Gigya: The 2017 State of Consumer Privacy and Trust report. https://www.gigya.com/resource/report/2017-state-of-consumer-privacy-trust/. Accessed 20 May 2018
Cavoukian, A.: Privacy by design: the definitive workshop. A foreword by Ann Cavoukian, Ph.D. Identity Inf. Soc. 3(2), 247–251 (2010)
Clarke, R.: Privacy impact assessment: its origins and development. Comput. Law Secur. Rev. 25(2), 123–135 (2009)
UK Information Commissioner’s Office (ICO): Conducting Privacy Impact Assessments: Code of Practice (2014). https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf. Accessed 02 Mar 2018
Treasury Board of Canada Secretariat (Canada TBS): Directive of Privacy Impact Assessments (2010). https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18308. Accessed 02 Mar 2018
International Organization for Standardization (ISO): ISO/IEC 29134 Information Technology – Security Techniques—Privacy Impact Assessment – Guidelines (2017)
Wright, D.: Making privacy impact assessment more effective. Inf. Soc. 29(5), 307–315 (2013)
Wright, D., Finn, R., Rodrigues, R.: A comparative analysis of privacy impact assessment in six countries. J. Contemp. Eur. Res. 9(1), 160–180 (2013)
Oetzel, M.C., Spiekermann, S.: A systematic methodology for privacy impact assessments: a design science approach. Eur. J. Inf. Syst. 23(2), 126–150 (2014)
Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., Rost, M.: A process for data protection impact assessment under the European general data protection regulation. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 21–37. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44760-5_2
Commission Nationale de l’Informatique et des Libertes (CNIL): Privacy Impact Assessment (PIA) Methodology (2018). https://www.cnil.fr/en/PIA-privacy-impact-assessment-en. Accessed 22 Apr 2018
Office of the Australian Information Commissioner (OAIC): Guide to undertaking privacy impact assessments (2014). https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-undertaking-privacy-impact-assessments. Accessed 02 Mar 2018
Spiekermann, S.: The RFID PIA–developed by industry, endorsed by regulators. In: Wright, D., De Hert, P. (eds.) Privacy Impact Assessment. LGTS, vol. 6, pp. 323–346. Springer, Dordrecht (2012). https://doi.org/10.1007/978-94-007-2543-0_15
Health Information and Quality Authority of Ireland (HIQA): Guidance on Privacy Impact Assessment (PIA) in Health and Social Care (2017). https://www.hiqa.ie/reports-and-publications/health-information/guidance-privacy-impact-assessment-pia-health-and. Accessed 20 May 2018
Office of the Privacy Commissioner (OPC) New Zealand: Privacy Impact Assessment Toolkit (2015). https://www.privacy.org.nz/news-and-publications/guidance-resources/privacy-impact-assessment/. Accessed 02 Mar 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Vemou, K., Karyda, M. (2019). An Organizational Scheme for Privacy Impact Assessments. In: Themistocleous, M., Rupino da Cunha, P. (eds) Information Systems. EMCIS 2018. Lecture Notes in Business Information Processing, vol 341. Springer, Cham. https://doi.org/10.1007/978-3-030-11395-7_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-11395-7_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-11394-0
Online ISBN: 978-3-030-11395-7
eBook Packages: Computer ScienceComputer Science (R0)