Skip to main content

An Organizational Scheme for Privacy Impact Assessments

  • 1265 Accesses

Part of the Lecture Notes in Business Information Processing book series (LNBIP,volume 341)


The importance of Privacy Ιmpact Αssessment (PIA) has been emphasized by privacy researchers and its conduction is provisioned in legal frameworks, such as the European Union’s General Data Protection Regulation. However, it is still a complicated and bewildering task for organizations processing personal data, as available methods and guidelines fail to provide adequate guidance confusing organisations and PIA practitioners. This paper analyzes the interplay among PIA stakeholders and proposes an organizational scheme for successful PIA projects.


  • Privacy impact assessment
  • Privacy management
  • Privacy governance
  • GDPR

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    Article 36 of EU GDPR does not mention sign-off but requires prior consultation with the supervisory authority prior to processing “where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk”. The report is one of the elements to be provided to the supervisory authority during the consultation.


  1. Pavlou, P.: State of the information privacy literature: where are we now and where should we go. MIS Q. 35(4), 977–988 (2011)

    CrossRef  Google Scholar 

  2. Schwaig, K.S., Kane, G.C., Storey, V.C.: Compliance to the fair information practices: how are the Fortune 500 handling online privacy disclosures? Inf. Manag. 43(7), 805–820 (2006)

    CrossRef  Google Scholar 

  3. Spiekermann, S., Novotny, A.: A vision for global privacy bridges: technical and legal measures for international data markets. Comput. Law Secur. Rev. 31(2), 181–200 (2015)

    CrossRef  Google Scholar 

  4. Moores, T., Dhillon, G.: Do privacy seals in e-commerce really work? Commun. ACM - Mob. Comput. Oppor. Chall. 46(12), 265–271 (2003)

    Google Scholar 

  5. BBC: Facebook scandal ‘hit 87 million users’, 04 April 2018. Accessed 20 May 2018

  6. European Commission: Flash Eurobarometer: data protection in the European Union: citizens perceptions. Analytical report (2008)

    Google Scholar 

  7. European Commission: Special Eurobarometer 431: data protection. Report (2015)

    Google Scholar 

  8. European Commission: Special Eurobarometer 443: e-privacy. Report (2016)

    Google Scholar 

  9. Gigya: The 2017 State of Consumer Privacy and Trust report. Accessed 20 May 2018

  10. Cavoukian, A.: Privacy by design: the definitive workshop. A foreword by Ann Cavoukian, Ph.D. Identity Inf. Soc. 3(2), 247–251 (2010)

    CrossRef  Google Scholar 

  11. Clarke, R.: Privacy impact assessment: its origins and development. Comput. Law Secur. Rev. 25(2), 123–135 (2009)

    CrossRef  Google Scholar 

  12. UK Information Commissioner’s Office (ICO): Conducting Privacy Impact Assessments: Code of Practice (2014). Accessed 02 Mar 2018

  13. Treasury Board of Canada Secretariat (Canada TBS): Directive of Privacy Impact Assessments (2010). Accessed 02 Mar 2018

  14. International Organization for Standardization (ISO): ISO/IEC 29134 Information Technology – Security Techniques—Privacy Impact Assessment – Guidelines (2017)

    Google Scholar 

  15. Wright, D.: Making privacy impact assessment more effective. Inf. Soc. 29(5), 307–315 (2013)

    CrossRef  Google Scholar 

  16. Wright, D., Finn, R., Rodrigues, R.: A comparative analysis of privacy impact assessment in six countries. J. Contemp. Eur. Res. 9(1), 160–180 (2013)

    Google Scholar 

  17. Oetzel, M.C., Spiekermann, S.: A systematic methodology for privacy impact assessments: a design science approach. Eur. J. Inf. Syst. 23(2), 126–150 (2014)

    CrossRef  Google Scholar 

  18. Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., Rost, M.: A process for data protection impact assessment under the European general data protection regulation. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 21–37. Springer, Cham (2016).

    CrossRef  Google Scholar 

  19. Commission Nationale de l’Informatique et des Libertes (CNIL): Privacy Impact Assessment (PIA) Methodology (2018). Accessed 22 Apr 2018

  20. Office of the Australian Information Commissioner (OAIC): Guide to undertaking privacy impact assessments (2014). Accessed 02 Mar 2018

  21. Spiekermann, S.: The RFID PIA–developed by industry, endorsed by regulators. In: Wright, D., De Hert, P. (eds.) Privacy Impact Assessment. LGTS, vol. 6, pp. 323–346. Springer, Dordrecht (2012).

    CrossRef  Google Scholar 

  22. Health Information and Quality Authority of Ireland (HIQA): Guidance on Privacy Impact Assessment (PIA) in Health and Social Care (2017). Accessed 20 May 2018

  23. Office of the Privacy Commissioner (OPC) New Zealand: Privacy Impact Assessment Toolkit (2015). Accessed 02 Mar 2018

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Konstantina Vemou .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Vemou, K., Karyda, M. (2019). An Organizational Scheme for Privacy Impact Assessments. In: Themistocleous, M., Rupino da Cunha, P. (eds) Information Systems. EMCIS 2018. Lecture Notes in Business Information Processing, vol 341. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-11394-0

  • Online ISBN: 978-3-030-11395-7

  • eBook Packages: Computer ScienceComputer Science (R0)