Our philosophy is straightforward: business goals should shape privacy requirements — not the other way around. While privacy professionals have long argued that privacy is a business imperative, the typical design of Privacy Impact Assessments (PIAs) doesn’t reflect this belief.
In many cases, PIAs are over-engineered, attempting to eliminate human judgment and subjectivity from the process. With each new privacy law, PIAs tend to grow in length and complexity, and the original intent — to genuinely assess and address privacy risks — gets lost. Over time, completing the PIA becomes a task to check off, rather than a meaningful step towards managing privacy.
Ultimately, accountability lies with people, not processes or technology. This makes open conversations the most valuable part of any privacy assessment. A PIA shouldn’t replace these conversations; it should document them.
- A well-designed PIA is a record of the process by which we work together to:
- Understand the business context
- Document data practices
- Identify privacy risks
- Implement controls and safeguards
Learn about our approach in Meg’s blog post on why our PIA approach is based on accountability, not compliance.