{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,30]],"date-time":"2026-01-30T23:27:57Z","timestamp":1769815677353,"version":"3.49.0"},"reference-count":31,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2019,8,26]],"date-time":"2019-08-26T00:00:00Z","timestamp":1566777600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2019,8,26]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and privacy research.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>This paper critically reviews and assesses generic PIA methods proposed by related research, data protection authorities and standard\u2019s organizations, to identify best practices and practically support PIA practitioners. To address identified gaps, best practices from privacy literature are proposed.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>This paper proposes a PIA process based on best practices, as well as an evaluation framework for existing PIA guidelines, focusing on practical support to PIA practitioners.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>The proposed PIA process facilitates PIA practitioners in organizing and implementing PIA projects. This paper also provides an evaluation framework, comprising a comprehensive set of 17 criteria, for PIA practitioners to assess whether PIA methods\/guidelines can adequately support requirements of their PIA projects (e.g. special legal framework and needs for PIA project organization guidance).<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This research extends PIA guidelines (e.g. ISO 29134) by providing comprehensive and practical guidance to PIA practitioners. The proposed PIA process is based on best practices identified from evaluation of nine commonly used PIA methods, enriched with guidelines from privacy literature, to accommodate gaps and support tasks that were found to be inadequately described or lacking practical guidance.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-04-2019-0047","type":"journal-article","created":{"date-parts":[[2019,9,4]],"date-time":"2019-09-04T10:02:10Z","timestamp":1567591330000},"page":"35-53","source":"Crossref","is-referenced-by-count":18,"title":["Evaluating privacy impact assessment methods: guidelines and best practice"],"prefix":"10.1108","volume":"28","author":[{"given":"Konstantina","family":"Vemou","sequence":"first","affiliation":[]},{"given":"Maria","family":"Karyda","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020040311053835800_ref001","first-page":"85","article-title":"Towards an effective privacy impact and risk assessment methodology: risk assessment","volume-title":"Trust, Privacy and Security in Digital Business 2018, Lecture Notes in Computer Science","year":"2018"},{"key":"key2020040311053835800_ref002","volume-title":"Big Data for Monitoring Educational Systems","year":"2017"},{"key":"key2020040311053835800_ref003","first-page":"21","article-title":"A process for data protection impact assessment under the european general data protection regulation","volume-title":"Proceedings of the Annual Privacy Forum 2016. Privacy Technologies and Policy. Lecture Notes in Computer Science","year":"2016"},{"issue":"2","key":"key2020040311053835800_ref004","doi-asserted-by":"crossref","first-page":"247","DOI":"10.1007\/s12394-010-0062-y","article-title":"Privacy by design: the definitive workshop. A foreword by ann cavoukian","volume":"3","year":"2010","journal-title":"Ph.D. Identity in the Information Society"},{"issue":"2","key":"key2020040311053835800_ref005","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1016\/j.clsr.2009.02.002","article-title":"Privacy impact assessment: its origins and development","volume":"25","year":"2009","journal-title":"Computer Law and Security Review"},{"issue":"2","key":"key2020040311053835800_ref006","doi-asserted-by":"crossref","first-page":"111","DOI":"10.1093\/idpl\/ipr002","article-title":"An evaluation of privacy impact assessment guidance documents","volume":"1","year":"2011","journal-title":"International Data Privacy Law"},{"key":"key2020040311053835800_ref007","unstructured":"Commission Nationale de l\u2019Informatique et des Libertes (CNIL) (2018), \u201cPrivacy impact assessment (PIA) methodology\u201d, available at: www.cnil.fr\/en\/PIA-privacy-impact-assessment-en (accessed 31 March 2019)."},{"key":"key2020040311053835800_ref008","first-page":"52","article-title":"A refinement approach for the reuse of privacy risk analysis results","volume-title":"Privacy Technologies and Policy","year":"2017"},{"issue":"12","key":"key2020040311053835800_ref009","doi-asserted-by":"crossref","first-page":"753","DOI":"10.1136\/jme.2009.029918","article-title":"Privacy impact assessment in the design of transnational public health information systems: the BIRO project","volume":"35","year":"2009","journal-title":"Journal of Medical Ethics"},{"key":"key2020040311053835800_ref010","unstructured":"European Data Protection Supervisor (EDPS) (2019), \u201cIPEN \u2013 Internet privacy engineering network\u201d, available at: https:\/\/edps.europa.eu\/data-protection\/ipen-internet-privacy-engineering-network_en (accessed 29 May 2019)."},{"key":"key2020040311053835800_ref011","unstructured":"ENISA (2013), \u201cRecommendations for a methodology of the assessment of severity of personal data breaches\u201d, available at: www.enisa.europa.eu\/publications\/dbn-severity (accessed 29 May 2019)."},{"key":"key2020040311053835800_ref012","unstructured":"ENISA (2017a), \u201cHandbook on security of personal data processing\u201d, available at: www.enisa.europa.eu\/publications\/handbook-on-security-of-personal-data-processing (accessed 31 March 2019)."},{"key":"key2020040311053835800_ref013","unstructured":"ENISA (2017b), \u201cA tool on privacy enhancing technologies (PETs) knowledge management and maturity assessment\u201d, available at: www.enisa.europa.eu\/publications\/pets-maturity-tool (accessed 29 May 2019). European Commission (2015), \u201cSpecial eurobarometer 423 cyber security\u201d, Report 978 DR-01-15-143-EN-N, European Commission."},{"key":"key2020040311053835800_ref014","article-title":"ISO\/IEC 29134 information technology \u2013 security techniques \u2013 privacy impact assessment \u2013 guidelines","author":"International Organization for Standardization (ISO)","year":"2017"},{"key":"key2020040311053835800_ref015","first-page":"239","article-title":"EPIC: a methodology for evaluating privacy violation risk in cybersecurity systems","volume":"11","year":"2018","journal-title":"Transactions on Data Privacy"},{"key":"key2020040311053835800_ref016","first-page":"79","article-title":"Supporting privacy impact assessments using problem-based privacy analysis","volume-title":"Software Technologies. ICSOFT 2015, Communications in Computer and Information Science","year":"2015"},{"key":"key2020040311053835800_ref017","first-page":"151","article-title":"PRIPARE: integrating privacy best practices into a privacy engineering methodology","year":"2015"},{"issue":"2","key":"key2020040311053835800_ref018","doi-asserted-by":"crossref","first-page":"126","DOI":"10.1057\/ejis.2013.18","article-title":"A systematic methodology for privacy impact assessments: a design science approach","volume":"23","year":"2014","journal-title":"European Journal of Information Systems"},{"key":"key2020040311053835800_ref019","unstructured":"Office of the Australian Information Commissioner (OAIC) (2014), \u201cGuide to undertaking privacy impact assessments\u201d, available at: www.oaic.gov.au\/agencies-and-organisations\/guides\/guide-to-undertaking-privacy-impact-assessments (accessed 31 March 2019)."},{"key":"key2020040311053835800_ref020","unstructured":"Office of the Australian Information Commissioner (OAIC) (2018), \u201cData breach preparation and response: a guide to managing data breaches in accordance with the privacy act 1988\u201d, available at: www.oaic.gov.au\/resources\/agencies-and-organisations\/guides\/data-breach-preparation-and-response.pdf (accessed 10 June 2019)."},{"key":"key2020040311053835800_ref021","unstructured":"Office of the Privacy Commissioner (OPC) New Zealand (2015), \u201cPrivacy impact assessment toolkit\u201d, available at: www.privacy.org.nz\/news-and-publications\/guidance-resources\/privacy-impact-assessment\/ (accessed 31 March 2019)."},{"key":"key2020040311053835800_ref022","unstructured":"Smart Grid Task Force 2012\u201314 Expert Group 2 (2014), \u201cData protection impact assessment template for smart grid and smart metering systems\u201d, available at: https:\/\/ec.europa.eu\/energy\/sites\/ener\/files\/documents\/DPIA%20template_incl%20line%20numbers.pdf (accessed 31 March 2019)."},{"issue":"3","key":"key2020040311053835800_ref023","doi-asserted-by":"crossref","first-page":"477","DOI":"10.2307\/40041279","article-title":"A taxonomy of privacy","volume":"154","year":"2006","journal-title":"University of Pennsylvania Law Review"},{"key":"key2020040311053835800_ref024","first-page":"323","article-title":"The RFID PIA \u2013 developed by industry, endorsed by regulators","year":"2012"},{"key":"key2020040311053835800_ref025","unstructured":"Treasury Board of Canada Secretariat (Canada TBS) (2010), \u201cDirective of privacy impact assessments\u201d, available at: www.tbs-sct.gc.ca\/pol\/doc-eng.aspx?id=18308 (accessed 31 March 2019)."},{"key":"key2020040311053835800_ref026","unstructured":"UK Information Commissioner\u2019s Office (ICO) (2014), \u201cConducting privacy impact assessments: code of practice\u201d, available at: https:\/\/ico.org.uk\/media\/for-organisations\/documents\/1595\/pia-code-of-practice.pdf (accessed 02 March 2018)."},{"key":"key2020040311053835800_ref027","first-page":"1","article-title":"Privacy impact assessments in practice: outcome of a descriptive field research in The Netherlands","volume-title":"Ceur Workshop Proceedings, Alamo, J.M. del (Ed.), IWPE 2017: International Workshop on Privacy Engineering: Proceedings of the 3rd International Workshop on Privacy Engineering, co-located with 38th IEEE Symposium on Security and Privacy (S&P 2017) San Jose (CA), USA, May 25, 2017","year":"2017"},{"key":"key2020040311053835800_ref028","first-page":"258","article-title":"An organizational scheme for privacy impact assessments","volume-title":"Information Systems. EMCIS 2018. Lecture Notes in Business Information Processing","year":"2018"},{"issue":"5","key":"key2020040311053835800_ref029","doi-asserted-by":"crossref","first-page":"307","DOI":"10.1080\/01972243.2013.825687","article-title":"Making privacy impact assessment more effective","volume":"29","year":"2013","journal-title":"The Information Society"},{"key":"key2020040311053835800_ref030","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1007\/978-94-007-2543-0_1","article-title":"Introduction to privacy impact assessment","volume-title":"Privacy Impact Assessment","year":"2012"},{"issue":"1","key":"key2020040311053835800_ref031","article-title":"A comparative analysis of privacy impact assessment in six countries","volume":"9","year":"2013","journal-title":"Journal of Contemporary European Research"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2019-0047\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2019-0047\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:51Z","timestamp":1753406571000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/1\/35-53\/108348"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,8,26]]},"references-count":31,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2019,8,26]]}},"alternative-id":["10.1108\/ICS-04-2019-0047"],"URL":"https:\/\/doi.org\/10.1108\/ics-04-2019-0047","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2019,8,26]]}}}