After the first wave of PIA methods, in the last two years, further ideas have been proposed. Unfortunately, they introduce complexity, instead of help for controllers, processors and operators.
In 2014 European Commission ruled on smart grid and promoted another model for PIAs. This model has theoretical errors (e.g. “feared events” and “threats” are supposed to define different subjects) and requires a much more complex method (in 74 pages!) than the previous one, where “impact” and “likelihood” are now doubled in 4 parameters: data subjects identification ease, impacts on data subjects, vulnerabilities width and capability of threats to exploit vulnerabilities. In the end, the risk level should be presented in 4 values (Risks with a high severity and likelihood, risks with a high severity but a low likelihood, risks with a low severity but a high likelihood and risks with a low severity and likelihood).
Such model, including a DPIA template, is available on the web: http://ec.europa.eu/energy/en/topics/markets-and-consumers/smart-grids-and-meters.
CNIL, French data protection Authority, in July 2015 issued PIA guidelines, aligned with the most complex smart grid model. It also introduces strange ideas such as having the identification of security controls before risk analysis. Such guidelines are available on the web in French http://www.cnil.fr/linstitution/actualite/article/article/etude-dimpacts-sur-la-vie-privee-suivez-la-methode-de-la-cnil/.
CNIL guidelines are also available in French: http://www.cnil.fr/english/news-and-events/news/article/privacy-impact-assessments-the-cnil-publishes-its-pia-manual/.
Smart grid and CNIL models, obviously, don’t follow one of the first principles of security: keep it simple and stupid (also known as “KISS principle”).
Last actor: ISO/IEC JTC1 SC27 WG5 (a working group near the one who maintains ISO/IEC 27001) is working on a future standard ISO/IEC 29134 (according with the best case scenario, it will be published in end 2016). This proposal, at the time of writing this article, is more KISS oriented and requires a risk analysis based only on two variables (impact and likelihood).