Image by Markus Spiske


A Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information is collected, used, shared, and maintained within the company. The purpose of a PIA is to demonstrate how privacy protections have been consciously incorporated at the system level and across the company throughout the information life cycle. The Privacy Impact Assessment captures potential risks or vulnerabilities and the likelihood of these vulnerabilities to occur in a system. The Privacy Risk Register is maintained as part of the PIA process. 

The assessment will be based on the privacy impact drivers for each system or process. The Data Map will capture and track the risks identified for each system. 

Maintaining a Privacy Risk Register and evaluating overall privacy maturity are necessary components to measure and manage the privacy and data ethics within the organization. 

Data Map (6).png

Four commonly used Risk Priority levels are:

Avoid/Reduce: Risks to be absolutely avoided or significantly reduced by implementing controls that reduce both their impact and likelihood. 

Revisit: Moderate risks that are of lesser priority and the organization chooses to devote fewer resources to addressing them currently. 

Accept: Risks that are accepted without further control implementation, especially if the treatment of other security or privacy risks also reduces this risk. 

Transfer: Risks for which responsibility can be transferred to another party that can accept and better address the risk and/or has the resources necessary to properly mitigate the risk. 

Privacy Risk Register 

The Privacy Risk Register will provide an overview of all risks across all the systems. The Privacy Risk Register is maintained in the Data Map. A typical risk register might contain the following and can be customized to an organization’s needs:  

  • Potential Risks: The potential risk or vulnerabilities that the organization can be exposed to. 

  • Risk Likelihood: The potential likelihood of risks to materialize. 

  • Risk Severity: The highest level of damage possible when a vulnerability or a risk occurs. 

  • Risk Impact Score: Overall score for each risk. This will be based on the severity and likelihood.  

  • Type of Impact: Potential types of impact to the organization if the risk materializes. This can include Loss of Trust with customers, Economic Loss, Reputational Loss, Civil liabilities, Regulatory action, etc 

  • Controls Implemented: Actions and Privacy Controls that lessen the probability and/or negative consequences associated with risk. 

  • Risk Owner: The person responsible for accepting, managing, or mitigating the risk within the company. 

  • Risk Priority: Each risk is classified into different Risk Priority levels based on the risk impact score and type of impact. 

Create Privacy Impact Assessments (PIA) in Minutes


Pre-defined Templates


Automated Workflows


Track and Monitor Progress. Prioritize
and Remediate


Score and Measure Progress

What is Privacy Risk Impact? 

Privacy Risk Impact Drivers are the attributes of a system that contribute to the privacy risk in a system. These include the volume of personal information on a system, retention periods, access, storage method, and controls. Privacy Risk Impact Drivers will be tracked in the Data Map. An overall Privacy Risk Impact will be calculated for the system based on the Privacy Risk Impact Drivers.