Privacy Impact Assessments (PIAs)

The Privacy Impact Assessment (PIA) is the core artefact used to assess privacy risk within an organisation, typically for a given project, IT system, cloud service or process. It is normally used:

  • To identify whether a proposed project is likely to impact on the privacy of individuals affected by your project, either positively or negatively.

  • To make decisions about whether and how to adjust the proposal to manage any privacy risks and to maximise the benefits of protecting privacy well.

  • To check whether your project is likely to comply with privacy laws.

  • As a reference point for future action as the project, or your business, changes.

ThreeBlackCats deliver a right-sized, decision-focused PIA aligned with the regulator’s privacy expectations. The PIA clearly identifies privacy risks, impacts, and recommended controls, and provides practical guidance for design, build, and operational teams. The PIA also supports governance, assurance, and regulatory engagement, and remains a maintainable artefact that can evolve with your project as it changes.

Our Approach

A PIA can be undertaken at any time in a project’s lifecycle. We recommend that the initial PIA be undertaken in the early stages of a project, to provide guidance on what the big risks are and what the options are for responding to them. 

Later, in a project, you then typically revisit and update the PIA to be sure that no new risks have become apparent and that the planned controls have been implemented.

The traditional approach to PIAs does not easily fit with agile projects and often causes delays in a continuous release programme. For this reason, we use a different approach when undertaking a PIA in an agile project environment. For agile projects we use a similar methodology as for a waterfall project to determine the risk and controls. However, we start with the PIA covering the minimum viable product (MVP). As things rapidly change in agile, we ensure that the PIA is reviewed and updated every increment, and changes are discussed with the business owner. When reviewing / updating the PIA we only focus on the areas that have changed since the last version.