Skip to content
EN

ISO Privacy Framework - Privacy Impact Assessment (PIA) - Part 2

For privacy, the ISO standards offer a separate procedure for risk analysis: the privacy impact assessment (PIA). This tool helps to identify privacy risks, define the necessary protective mechanisms and demonstrate your own efforts to protect data in a structured report.

The Privacy Impact Assessment (PIA) should begin as early as possible in a project, be it a new project or the conversion of an infrastructure - preferably during the planning phase. The PIA is necessary as soon as"sensitive PII " is processed - according to ISO 29100:2011, this is all data whose unauthorized disclosure leads to significant harm to the PII principal. As a reminder: PII =Personally Identifiable Information = data that makes a person identifiable, but also allows conclusions to be drawn about their behavior or personal situation.

This also includes all data that must be protected due to legal or other requirements. For example, the Swiss Data Protection Act (DSG) classifies data relating to health or political views as particularly worthy of protection. Depending on the industry, other data may also be relevant, particularly in banks, hospitals or insurance companies. The EU goes a few steps further with the GDPR, as it already includes tracking cookies among the relevant data, for example. Before deciding whether to carry out a PIA, it is therefore also necessary to take a look at the applicable laws.

If you want to carry out a PIA according to recognized procedures, you should refer to the ISO 29134:2017 standard - the"Guidelines for Privacy Impact Assessment".

Assessing the extent of the damage

Anyone who has already carried out risk assessments is familiar with the extent of damage ("consequence criteria " and"impact criteria") as an evaluation criterion for a risk: an assessment is made of how high the damage can be in quantitative terms or how it can be classified in qualitative terms. The PIA is similar: what damage could a privacy breach cause to the PII principal.

However, the assessment is very abstract. The PII controller cannot objectively understand what damage a privacy breach could cause. The assessment also represents a change of focus: The potential damage must not be assessed from the perspective of one's own organization, but one must put oneself in the PII principal's shoes. The risk assessment should therefore be carried out separately in IS and in privacy, as the same vulnerability may have to be assessed differently in the different contexts.

Level of Impact

Some terms are very abstract.
The ISO standard therefore recommends using the term "level of impact". This is a qualitative assessment based on the criterion of how much effort the PII principal can make to compensate for the damage on its own.

Our table shows an example including a comparison with data classification levels.

 

Identify assets

At the beginning of the PIA, it is important to correctly determine the scope, which is typically done by analyzing the business cases and determining the assets involved. Based on this, a schematic of the data processing paths ("data flows", processing chain of the data) is created and the possible behavior of the users ("use cases", type of use of the service) is determined.

To identify the data flows, it is advisable to answer these questions:

  • Collection: where and how is the data collected?
  • Storage: Where and how is the data stored?
  • Use: Where is the data processed?
  • Transfer: Between which systems is the data transferred?
  • Deletion: When and where is the data deleted?

Once this has been identified, the potential damage is determined in the PIA for the possible combinations of data flows and use cases. This is where the PIA differs from the typical identification of primary and secondary assets in the IS risk assessment, as it is more strongly oriented towards the interaction of the user with the system and the processing taking place in the background. The PIA should therefore not only involve technical staff for analysis, but ideally also the business and sales departments.

Requirements for data processing

The PIA also requires the "Privacy Safeguarding Requirements" to be recorded, i.e. the data protection requirements from a legal and regulatory perspective as well as industry-specific specifications. Companies with an internal legal department can consult them for support here, as this is where the reference to the Swiss DPA and the GDPR is made. If this is done carefully in the first PIA, the clarifications can be reused in future assessments.
The PIA also expects an assessment of whether the data processing is necessary with regard to the service to be provided. This is particularly important in the context of the GDPR - because it is precisely the provisions of the GDPR that mean that many websites now obtain separate consents for different types of cookies.

The privacy risk map

A list of possible threats is required for the PIA. The standard contains a longer template for this. A possible threat can be, for example, "unauthorized access to PII" if a software error is exploited or "loss of PII" if a server malfunction occurs.

PIA Privacy Risk Map

Once all the information is available, a "privacy risk map" is drawn. The probability of occurrence can be determined in the same way as in the information security risk assessment.

Risk-map

With the privacy risk map and the register of privacy risks, it is then necessary to determine where exactly the risk acceptance line runs and, if necessary, to define the protective measures. If you are already familiar with this from the IS, you can proceed as usual.

Procedure and report of the privacy impact assessment

The following diagram shows an overview of how a PIA works. The "PIA report", which is required by ISO 29134:2017, is also listed here.

PIA Ablauf

Content of the PIA report:

  • Scope & requirements
  • Information on the purpose of the processing
  • Description of data collection and processing
  • The paths of data processing
  • Regulation of access rights
  • Identified risks
  • Protective measures applied

A company should use the same template for all projects. If you take a look at the standard, you will find an example of a possible structure.

The structure of the template should allow versions to be generated for different target groups. Anyone who can generate a shortened and simplified version based on the full report for the customer, for example, will be able to document the efforts made and submit it when participating in a tender, for example.

Why is the PIA important

The Privacy Impact Assessment (PIA) is a tool for analyzing and transparently identifying potential risks. On the one hand, this fulfills the obligation of an impact analysis required by the GDPR - on the other hand, the resulting PIA report can also serve as a means of demonstrating to your own customers what happens to their data and how it is protected.

Anyone who already has experience with risk analyses in IS will quickly find their way around the PIA, but will have to get used to one or two aspects. As part of our consulting services, Swiss Post Cybersecurity will support you in creating your first PIA.

You may be interested in

Incident bell icon

Immediate reaction

Do you need immediate reaction in front of a Cyber attack? Just call us.
+41 21 519 05 01

Our support team is available Monday to Friday, 8:00 AM to 6:00 PM. Customers with an active SLA benefit from 24/7 access. 

Please note: We exclusively support companies and organizations — private individuals are kindly asked to contact their service provider or the local authorities.