We can do a Privacy Impact Assessment (PIA) for you. Some people, especially in the EU where the GDPR applies, call it a data protection impact assessment (DPIA). While others call it a personal information impact assessment (PIIA). There are different names given to them:

  • The GDPR in the European Union requires them and calls them data protection impact assessments.
  • The POPIA regulations in South Africa require them and calls them personal information impact assessments.

Whatever you call them, they are essentially the same thing. We have studied International trends and best practice regarding impact assessments and have conducted many for our clients.

In this article, we are discussing one kind of impact assessment (being a privacy impact assessment). You also get an organisational impact assessment and a regulatory impact assessment. You can read more about legal assessments. It is important to know which one you are referring to. We can also do a gap analysis or a compliance audit, but those are something different. The names of these different things all sound very similar but they are quite different things. You can also do a privacy impact assessment yourself with our guidance by joining or data protection programme and working through the conducting privacy impact assessments module.

How you benefit from a privacy impact assessment

  • Ensure that adequate measures and standards exist
  • Know where the biggest impact will be
  • Know where to focus your efforts
  • Know the scope of the remedial work that needs to be done and how best to do it
  • Reduce your legal compliance workload

An assessment focuses on where your organisation is at a point in time.

When should I do a personal information impact assessment?

Your organisation should conduct a PIA before starting a project or beginning to process personal data in terms of a particular activity when there is an opportunity to affect the outcome. You can still do it during or afterwards, but it won’t be nearly as effective. You will do PIAs many times in the future and at different points in time. Doing PIAs is part of protecting personal data and is an ongoing exercise. For example, you might do one once a year and it might take you two weeks to do it each time. You should also do a PIA if you are going to launch a new product or service that involves the processing of personal data.

Sometimes, we recommend that you do a privacy impact assessment for just one of your activities or processes.

Actions you can take

  • Do an impact assessment by asking Michalsons to do one for you.
  • Do a privacy impact assessment yourself with our guidance by joining a Data Protection Programme and working through the conducting privacy impact assessments module.
  • Understand the impact of data protection on your organisation by doing a quick complimentary organisational impact assessment (to assess the high-level impact of applicable data protection laws on your organisation and evaluate the best way forward).
  • Check that you are conducting impact assessments correctly by asking us to review your process and outcomes.

What do you assess?

We assess:

  • what laws you must comply with,
  • the impact the applicable privacy laws or issues will have on your organisation or on a specific activity, process, or application,
  • your current privacy practices,
  • your current state of compliance with data protection laws,
  • where the biggest impact will be, and
  • what you should focus on.