Integrating privacy impact assessment in risk management

David Wright; Kush Wadhwa; Monica Lagazio; Charles Raab; Eric Charikane

doi:10.1093/idpl/ipu001

Integrating privacy impact assessment in risk management

David Wright, Kush Wadhwa, Monica Lagazio, Charles Raab, Eric Charikane

School of Social and Political Science

Research output: Contribution to journal › Article › peer-review

Abstract

This article presents the results of a study performed in 2013 for the United Kingdom (UK) Information Commissioner's Office (ICO) on improving the integration of a privacy impact assessment (PIA) with risk management and project management methodologies and making recommendations for the revision of the ICO's PIA Handbook.

The study included a large-scale survey of organizations' use of these methodologies and consonance with the Handbook; case studies based on in-depth interviews; and an analysis of methodologies with a view to their integration with PIA.

The main finding was that there are possibilities for integrating PIA into project and risk management practices. However, such integration would require some re-allocation and development of relevant roles, and the creation of a privacy-aware culture so that privacy risk can be assessed early enough in an organization's cycles to make a difference to the information systems, processes, and policies that are produced.

The study team made recommendations to the ICO and other organizations that use PIAs. The findings and recommendations have applicability not only to organizations in the UK, but in other countries as well.

Original language	English
Pages (from-to)	155-170
Number of pages	16
Journal	International Data Privacy Law
Volume	4
Issue number	2
DOIs	https://doi.org/10.1093/idpl/ipu001
Publication status	Published - 1 May 2014

Access to Document

10.1093/idpl/ipu001

http://idpl.oxfordjournals.org/cgi/doi/10.1093/idpl/ipu001

Cite this

@article{b8205e37e6de45d88f463992ae89d1c6,

title = "Integrating privacy impact assessment in risk management",

abstract = "This article presents the results of a study performed in 2013 for the United Kingdom (UK) Information Commissioner's Office (ICO) on improving the integration of a privacy impact assessment (PIA) with risk management and project management methodologies and making recommendations for the revision of the ICO's PIA Handbook. The study included a large-scale survey of organizations' use of these methodologies and consonance with the Handbook; case studies based on in-depth interviews; and an analysis of methodologies with a view to their integration with PIA. The main finding was that there are possibilities for integrating PIA into project and risk management practices. However, such integration would require some re-allocation and development of relevant roles, and the creation of a privacy-aware culture so that privacy risk can be assessed early enough in an organization's cycles to make a difference to the information systems, processes, and policies that are produced. The study team made recommendations to the ICO and other organizations that use PIAs. The findings and recommendations have applicability not only to organizations in the UK, but in other countries as well. ",

author = "David Wright and Kush Wadhwa and Monica Lagazio and Charles Raab and Eric Charikane",

year = "2014",

month = may,

day = "1",

doi = "10.1093/idpl/ipu001",

language = "English",

volume = "4",

pages = "155--170",

journal = "International Data Privacy Law",

issn = "2044-3994",

publisher = "Oxford University Press",

number = "2",

}

TY - JOUR

T1 - Integrating privacy impact assessment in risk management

AU - Wright, David

AU - Wadhwa, Kush

AU - Lagazio, Monica

AU - Raab, Charles

AU - Charikane, Eric

PY - 2014/5/1

Y1 - 2014/5/1

N2 - This article presents the results of a study performed in 2013 for the United Kingdom (UK) Information Commissioner's Office (ICO) on improving the integration of a privacy impact assessment (PIA) with risk management and project management methodologies and making recommendations for the revision of the ICO's PIA Handbook. The study included a large-scale survey of organizations' use of these methodologies and consonance with the Handbook; case studies based on in-depth interviews; and an analysis of methodologies with a view to their integration with PIA. The main finding was that there are possibilities for integrating PIA into project and risk management practices. However, such integration would require some re-allocation and development of relevant roles, and the creation of a privacy-aware culture so that privacy risk can be assessed early enough in an organization's cycles to make a difference to the information systems, processes, and policies that are produced. The study team made recommendations to the ICO and other organizations that use PIAs. The findings and recommendations have applicability not only to organizations in the UK, but in other countries as well.

AB - This article presents the results of a study performed in 2013 for the United Kingdom (UK) Information Commissioner's Office (ICO) on improving the integration of a privacy impact assessment (PIA) with risk management and project management methodologies and making recommendations for the revision of the ICO's PIA Handbook. The study included a large-scale survey of organizations' use of these methodologies and consonance with the Handbook; case studies based on in-depth interviews; and an analysis of methodologies with a view to their integration with PIA. The main finding was that there are possibilities for integrating PIA into project and risk management practices. However, such integration would require some re-allocation and development of relevant roles, and the creation of a privacy-aware culture so that privacy risk can be assessed early enough in an organization's cycles to make a difference to the information systems, processes, and policies that are produced. The study team made recommendations to the ICO and other organizations that use PIAs. The findings and recommendations have applicability not only to organizations in the UK, but in other countries as well.

U2 - 10.1093/idpl/ipu001

DO - 10.1093/idpl/ipu001

M3 - Article

SN - 2044-3994

VL - 4

SP - 155

EP - 170

JO - International Data Privacy Law

JF - International Data Privacy Law

IS - 2

ER -

Integrating privacy impact assessment in risk management

Abstract

Access to Document

Fingerprint

Cite this