Privacy Impact Assessment: Comparing Methodologies with a Focus on Practicality

  • Tamas BisztrayEmail author
  • Nils Gruschka
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11875)


Privacy and data protection have become more and more important in the recent years since an increasing number of enterprises and startups are harvesting personal data as a part of their business model. One central requirement of the GDPR is the implementation of a data protection impact assessment for privacy critical systems. However, the law does not dictate a special assessment methods.

In this paper we compare different data protection impact assessment methods. We have developed a comparison and evaluation methodology and applied this to three of the most widespread assessment frameworks. The result of this comparison shows the weaknesses and strength, but also clearly indicates that none of the tested methods fulfills all desired properties. Thus, the development of a new or improved data protection impact assessment framework is an important open issue for future work.


Data protection Privacy Impact Assessment GDPR DPIA 


  1. 1.
    Article 29 Working Party: Guidelines on Data Protection Impact Assessment (DPIA) (2017).
  2. 2.
    Commission Nationale de l’Informatique et des Libertés: Analyse d’impact relative à la protection des données : publication d’une liste des traitements pour lesquels une analyse est requise (2018).
  3. 3.
    Commission Nationale de l’Informatique et des Libertés: Privacy Impact assessment (pia) — CNIL (2019).
  4. 4.
    Wright, D., Wadhwa, K., De Hert, P., Kloza, D.: A Privacy Impact Assessment Framework for data protection and privacy rights (2011),
  5. 5.
    De Hert, P., Kloza, D., Wright, D.: Recommendations for a privacy impact assessment framework for the European Union (2012).
  6. 6.
    European Commission: Privacy and Data Protection Impact Assessment Framework for RFID Applications (2011).
  7. 7.
  8. 8.
    European Parliament & Council: Regulation (EU) 2016/679 - Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union L119 (4.5.2016), 1–88 (2016)Google Scholar
  9. 9.
    Quathem, K.V., Tielemans, J., de Meneses, A.O., Shepherd, N.: Google fined EUR 50 million in France for GDPR violation (Jan 2019).
  10. 10.
    de l’Informatique et des Libertés, C.N.: The open source PIA software helps to carry out data protection impact assesment (2019).
  11. 11.
    PIAF: A Privacy Impact Assessment Framework for data protection and privacy rights (2011).
  12. 12.
    Clarke, R.: Roger Clarke’s ‘Privacy Introduction and Definitions’ (2016).
  13. 13.
    Vemou, K., Karyda, M.: An Evaluation Framework for Privacy Impact Assessment Methods. In: MCIS 2018 Proceedings (2018)Google Scholar
  14. 14.
    Veseli, F., Olvera, J.S., Pulls, T., Rannenberg, K.: Engineering privacy by design: lessons from the design and implementation of an identity wallet platform. In: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing - SAC 2019, pp. 1475–1483. ACM Press, Limassol, Cyprus (2019).
  15. 15.
    Wadhwa, K., Rodrigues, R.: Evaluating privacy impact assessments. Innovation: Eur. J. Social Sci. Res. 26(1–2), 161–180 (2013). Scholar
  16. 16.
    Wright, D., Finn, R., Rodrigues, R.: A comparative analysis of privacy impact assessment in six countries. J. Contemp. Eur. Res. 9(1), 21 (2013)Google Scholar
  17. 17.
    Wuyts, K., Joosen, W.: LINDDUN privacy threat modeling: a tutorial. CW Reports (2015)Google Scholar
  18. 18.
    Soo, Z.: Alibaba’s Jack Ma says he is ‘worried’ Europe will stifle innovation with too much tech regulation — South China Morning Post (May 2019).

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of InformaticsUniversity of OsloOsloNorway

Personalised recommendations