The PIA concept from directive 95/46 to the current draft of the EU – Part 1

By | Tuesday July 21st, 2015

First developments 

Privacy impact assessment (PIA) is more and more cited in news and technical documents. This article is a first attempt to analyse the first significant contributions on this subject and has no aim of completeness.

Present EU Directive 95/46 on data protection requires to data controllers and processors to have measures to “ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected”. Some kind of risk assessment is thus required.

The draft of the possible future European Regulation on data protection has the same requirements of EU Directive 95/46, but adds the need of Data protection impact assessment “where processing operations present specific risks to the rights and freedoms of data subjects”.

If you Google “Privacy impact assessment”, one of the first results is a page of USA Homeland security that issued some PIAs. Some of them are dated 2005-2006, so they are the oldest examples of such documents. USA Homeland security PIAs are, in truth, information to be given to data subjects, not risk assessment and treatment reports.

They are also very easy to read and understand:

In Europe, one of the first citations of PIA dates 2009, in European Commission document “Commission recommendation of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio- frequency identification (notified under document number C(2009) 3200) – (2009/387/EC)”.

This document requires to RFID operators to prepare a “summary of the privacy and data protection impact assessment” and to describe “likely privacy risks, if any, relating to the use of tags in the application and the measures that individuals can take to mitigate these risks”. So, from 2006 to 2009 someone decided that PIAs are privacy risk assessment and treatment reports and not a set of user-friendly information to be given to data subjects:

Art. 29 Working party, endorsed by the European Commission, issued in 2011 some simple recommendations for writing PIAs. They requires to operators to: identify risks (a list of 15 threats is suggested), evaluate their impacts and likelihood, assign them a value (high, medium, low), describe security controls, link them with threats and declare if resulting risk is acceptable.

This document, with title ” Annex: Privacy and Data Protection Impact Assessment Framework for RFID Applications” Is available on Art. 29 WP website:

In the next post, further development will be reported.

Category: Impact, Risk and Measures Tags:

About Cesare Gallotti

More than 15 years of experience in information security and IT process management. Italian representative in ISO/IEC SC 27 WG1 international meetings for writing ISO/IEC 27000 standard family. Activities in Italy, Europe, Asia and Africa, for companies of various sizes and market sectors. Consultancy, training and audit for: information security, quality, compliance with legal requirements (Personal Data Protection, SOX, etc.), compliance with international standards (ISO 9001, ISO/IEC 27001, ISO/IEC 20000, ISO 22301, etc.), and processes improvement.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.