An Organizational Scheme for Privacy Impact Assessments

  • Konstantina VemouEmail author
  • Maria Karyda
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 341)


The importance of Privacy Ιmpact Αssessment (PIA) has been emphasized by privacy researchers and its conduction is provisioned in legal frameworks, such as the European Union’s General Data Protection Regulation. However, it is still a complicated and bewildering task for organizations processing personal data, as available methods and guidelines fail to provide adequate guidance confusing organisations and PIA practitioners. This paper analyzes the interplay among PIA stakeholders and proposes an organizational scheme for successful PIA projects.


Privacy impact assessment Privacy management Privacy governance GDPR 


  1. 1.
    Pavlou, P.: State of the information privacy literature: where are we now and where should we go. MIS Q. 35(4), 977–988 (2011)CrossRefGoogle Scholar
  2. 2.
    Schwaig, K.S., Kane, G.C., Storey, V.C.: Compliance to the fair information practices: how are the Fortune 500 handling online privacy disclosures? Inf. Manag. 43(7), 805–820 (2006)CrossRefGoogle Scholar
  3. 3.
    Spiekermann, S., Novotny, A.: A vision for global privacy bridges: technical and legal measures for international data markets. Comput. Law Secur. Rev. 31(2), 181–200 (2015)CrossRefGoogle Scholar
  4. 4.
    Moores, T., Dhillon, G.: Do privacy seals in e-commerce really work? Commun. ACM - Mob. Comput. Oppor. Chall. 46(12), 265–271 (2003)Google Scholar
  5. 5.
    BBC: Facebook scandal ‘hit 87 million users’, 04 April 2018. Accessed 20 May 2018
  6. 6.
    European Commission: Flash Eurobarometer: data protection in the European Union: citizens perceptions. Analytical report (2008)Google Scholar
  7. 7.
    European Commission: Special Eurobarometer 431: data protection. Report (2015)Google Scholar
  8. 8.
    European Commission: Special Eurobarometer 443: e-privacy. Report (2016)Google Scholar
  9. 9.
    Gigya: The 2017 State of Consumer Privacy and Trust report. Accessed 20 May 2018
  10. 10.
    Cavoukian, A.: Privacy by design: the definitive workshop. A foreword by Ann Cavoukian, Ph.D. Identity Inf. Soc. 3(2), 247–251 (2010)CrossRefGoogle Scholar
  11. 11.
    Clarke, R.: Privacy impact assessment: its origins and development. Comput. Law Secur. Rev. 25(2), 123–135 (2009)CrossRefGoogle Scholar
  12. 12.
    UK Information Commissioner’s Office (ICO): Conducting Privacy Impact Assessments: Code of Practice (2014). Accessed 02 Mar 2018
  13. 13.
    Treasury Board of Canada Secretariat (Canada TBS): Directive of Privacy Impact Assessments (2010). Accessed 02 Mar 2018
  14. 14.
    International Organization for Standardization (ISO): ISO/IEC 29134 Information Technology – Security Techniques—Privacy Impact Assessment – Guidelines (2017)Google Scholar
  15. 15.
    Wright, D.: Making privacy impact assessment more effective. Inf. Soc. 29(5), 307–315 (2013)CrossRefGoogle Scholar
  16. 16.
    Wright, D., Finn, R., Rodrigues, R.: A comparative analysis of privacy impact assessment in six countries. J. Contemp. Eur. Res. 9(1), 160–180 (2013)Google Scholar
  17. 17.
    Oetzel, M.C., Spiekermann, S.: A systematic methodology for privacy impact assessments: a design science approach. Eur. J. Inf. Syst. 23(2), 126–150 (2014)CrossRefGoogle Scholar
  18. 18.
    Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., Rost, M.: A process for data protection impact assessment under the European general data protection regulation. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 21–37. Springer, Cham (2016). Scholar
  19. 19.
    Commission Nationale de l’Informatique et des Libertes (CNIL): Privacy Impact Assessment (PIA) Methodology (2018). Accessed 22 Apr 2018
  20. 20.
    Office of the Australian Information Commissioner (OAIC): Guide to undertaking privacy impact assessments (2014). Accessed 02 Mar 2018
  21. 21.
    Spiekermann, S.: The RFID PIA–developed by industry, endorsed by regulators. In: Wright, D., De Hert, P. (eds.) Privacy Impact Assessment. LGTS, vol. 6, pp. 323–346. Springer, Dordrecht (2012). Scholar
  22. 22.
    Health Information and Quality Authority of Ireland (HIQA): Guidance on Privacy Impact Assessment (PIA) in Health and Social Care (2017). Accessed 20 May 2018
  23. 23.
    Office of the Privacy Commissioner (OPC) New Zealand: Privacy Impact Assessment Toolkit (2015). Accessed 02 Mar 2018

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Information and Communication Systems EngineeringUniversity of the AegeanSamosGreece

Personalised recommendations