Why aren’t all UK companies using privacy impact assessments?

It has been a long year since the UK Information Commissioners Office (ICO) released its updated report, Conducting privacy impact assessments code of practice, in February 2014.

Privacy impact assessments (PIAs) are at the heart of taking a ‘privacy by design’ approach and allow organisations to find and fix problems at an early stage, reducing the associated costs and damage to reputation that might otherwise accompany a breach of data protection laws and regulations. They also help to meet the growing privacy expectations of their customers, employees and other stakeholders.

Most of the ICO’s recommendations regarding PIAs were taken from the excellent report produced by Trilateral Research and Consulting, who surveyed the use of PIAs and commented on their integration with other project and risk management plans.

So, how many commercial organisations are using PIAs?

While public sector organisations (including the NHS) are compelled to use and report on PIAs, there appear to be few commercial organisations that have declared they actually have any PIAs in place at all. This seems odd as there is a clear evidence of an increased awareness of and compliance with data protection laws and regulations. Just as odd is the fact that the ICO considers PIAs to be a ‘must-have’ data protection compliance tool that can be used to clearly demonstrate this compliance to all stakeholders.

The simple reason for the lack of organisational enthusiasm for PIAs could be the absence of any compulsion to use them. The requirements of the Data Protection Act are relatively easy to satisfy for most companies, and, while PIAs are recommended, they are not a mandatory requirement to comply with the law. This situation is about to change with the imminent ratification of the EU General Data Protection Regulation (GDPR) which mandates PIAs.

For many larger commercial organisations that do take data privacy seriously, it is possible that that privacy impact assessment is part of integrated risk management best practices and standards, which might include the Combined Code, ISO3100, ISO27001 or COBIT 5. It may also be part of compliance to an industry code, such as the FSA regulations for the UK financial services industry.

The IT Governance Ltd training programme is dedicated to helping UK IT professionals and their organisations achieve both compliance with the Data Protection Act and the implementation of effective data privacy controls using PIAs. This is supported by our DPA Foundation Training Course and unique Privacy Impact Assessment (PIA) Workshop.

The Privacy Impact Assessment (PIA) Workshop is a one-day classroom session designed to provide delegates with the practical knowledge to deliver effective PIAs. It costs just £350 + VAT, with the next session running in London on 3 March.