There are a lot of privacy stories around at the moment especially in relation to social media. In information (cyber) security it is accepted practice to undertake a risk assessment, a key part of which is the potential impact of a security event. Unfortunately in both security and privacy those who feel the impact, the victims, are not necessarily those who perpetrate the loss. So there is insufficient economic incentive for those taking risks with our personal data to do it well. For me there are at least 3 arguments in favour of Privacy Impact Assessments (PIAs) which are proposed as a way forward:
1) To redress this balance and encourage more investment in privacy protection;
2) To provide guidance and help to organisations;
3) To ensure 'due diligence' is performed;
Of course if 'due diligence' becomes box ticking, or PIAs are seen as bureaucratic obstacles then these benefits may not be realised. Ultimately what we want to encourage is 'privacy by design' and this can only be achieved if the right risk analysis is performed ab initio.