Conducting Privacy Impact Assessments Code of Practice (EU)


Key Questions: How do I conduct a PIA? What is the proper procedure for conducting a PIA? How do I integrate PIA's into my organization?

Privacy impact assessments (PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.

This code explains the principles which form the basis for a PIA. The main body of the code sets out the basic steps which an organisation should carry out during the assessment process. The practical implementation of the basic principles will depend on the organisation’s usual business practice.


  • Information Commissioner’s foreword
  • About this code
  • Chapter 1 - Introduction to PIAs
  • Chapter 2 - The PIA process
  • Chapter 3 – Consultation
  • Chapter 4 – Identifying the need for a PIA
  • Chapter 5 - Describing information flows
  • Chapter 6 - Identifying privacy and related risks
  • Chapter 7 - Identifying and evaluating privacy solutions
  • Chapter 8 – signing off and recording the PIA outcomes
  • Chapter 9 – Integrating PIA outcomes back in to the project plan.
  • Annex one
  • Privacy impact assessment screening questions
  • Annex two
  • Privacy impact assessment template
  • Annex three
  • Linking the PIA to the data protection principles
  • Annex four 
  • Further reading 
  • Annex Five
  • Integrating PIAs with project and risk management
Contact Person/Organization: 

Information Commissioner's Office (ico.)

Type of Tool:

Publication Date: 

Privacy Impact Assessment and Risk: The ICO's survey objectives