Maintaining privacy as an online business is crucial. Customers place their trust in your business by giving their private information to you, so it becomes your responsibility to maintain consumer trust and protect your business’ customer relationships.  

To ascertain the best way possible to protect the privacy of your business, you might consider undertaking a Privacy Impact Assessment (PIA)

If you think your business could benefit from strengthening its privacy protections, keep reading to learn more about a Privacy Impact Assessment and other ways to maintain a strong cyber security system

What Is A Privacy Impact Assessment?

A Privacy Impact Assessment analyses your current systems and the kind of private information it holds. It’s a step-by-step process that requires gathering all the relevant information, informing the right people and then taking targeted action. 

When the process of the PIA is complete, it’s up to the business that initiated it to make the right changes (if any are required). 

What Is The Purpose Of A Privacy Impact Assessment?

The PIA can make your business more legally compliant and help customers trust your business. 

Depending on the nature of your business, it is likely to be held under certain privacy obligations. For example, if you’re running a telehealth business, then you will be subject to stricter privacy regulations than that of a business that sells clothing online.  

This is because businesses that collect health information are held to a higher standard due to the sensitive nature of health information. 

A PIA can identify whether or not the current systems your business has in place are enough to satisfy any privacy obligations it is subject to, such as those under the Privacy Act 1988

When Is A Privacy Impact Assessment Required?

It is recommended to get a PIA right at the beginning of a new project or venture. Privacy concerns can end up heavily impacting a project and often, there are aspects of the project that will need to cater to privacy concerns. 

Therefore, it’s better to have it done as early on as possible. However, if you didn’t do this at the start of your project, then there’s no need to stress – you can still get a PIA at any time. 

Even if you don’t have a new business or project, it’s always a good idea to conduct a PIA to be on the safe side.

Role Of The OAIC

The Office of the Australian Information Commissioner (OAIC) promotes the regulations regarding privacy and access to information. OAIC is an independent government agency and largely enforces the Australian Privacy Principles (APPs) as well as the Privacy Act 1988

For businesses, the APPs are important as they set out some relevant rules around the collection and handling of personal information. The principles require Australian businesses to take reasonable steps to secure any private information they have acquired from their customers. 

As the OAIC is responsible for this side of the law, they are the ones to enforce the rules regarding every business’ privacy obligations towards consumers. 

How To Reduce Vulnerabilities And Threats

Whether or not your business is impacted by privacy legislation, it’s a commonly known fact that the internet is filled with threats. Scams, spoofs, malware and systems attacks can all occur, comprising the security of your business’ inside information. 

Therefore, it’s vital that you have some kind of cyber security system in place to prevent this from happening. This can include regularly updating your systems, restricting access, training all users regarding cyber security and getting the relevant insurance.  

Another way to be proactive about reducing potential threats is to have a Data Breach Response Plan in place. A Data Breach Response Plan is essentially a plan for what happens when private data belonging to the business is compromised. This way, if an emergency does arise, your response can be much more efficient in rectifying the situation. 

How Do I Undertake A Privacy Impact Assessment?

Undertaking a PIA requires a number of steps. Keep in mind that there is no rigid procedure that must be followed strictly. Rather, this is just a general overview of what a Privacy Impact Assessment is likely to look like. 

Threshold Assessment

The threshold assessment is simply deciding whether or not the project in question actually needs a PIA. Generally, the main question that will be asked here is whether or not this project deals with the private information of others. If private information is collected, stored or used in any way, then the answer is likely to be yes.  

If the answer is a no, then it’s recommended to keep a record of the threshold assessment anyways. 

Plan The PIA

Once it has been decided that a PIA is needed, the next step is to plan it. There is no singular process to planning a Privacy Impact Assessment – the scope of work for each individual project will be looked at to decide what will be required in the actual assessment. 

Naturally, projects with higher privacy risks will have more detailed planning compared to those that fall on the lower risk side. 

Describe The Project

The next step to undertaking a Privacy Impact Assessment is to describe the project it is assessing. This should just be a simple and fairly brief description of the overall project, identifying points such as: 

  • The overall goals of the project 
  • Overarching values and objectives 
  • Main people responsible for the project 
  • The scope of work 
  • Time frames
  • Main aspects that relates to privacy 
  • Connections with other projects 

Identify And Consult With Stakeholders

Internal and external stakeholders to a project are likely to be impacted by a privacy assessment. Therefore, it’s wise to take a look at which groups may be impacted, in what ways they will be affected and consult them in case they would like to take action themselves. 

This gives all individuals and groups affected by the project a chance to to bring up any of their own concerns and questions, which could  better inform the assessment. 

It’s essential to make sure all stakeholders are well informed about the PIA. 

Map Information Flows

Mapping out information flows essentially refers to providing an account of how information will move throughout the project. This means looking at how the information is collected, the ways in which it is stored and the circumstances under which it is used. 

At this point in the process, any privacy safeguards should also be considered as well as identity verification processes, quality of the information and destruction methods. 

Analysis And Compliance Check

Once all the information regarding privacy and the project has been collected, an analysis will need to be made regarding whether or not it is compliant with all the relevant privacy obligations. This process will include taking a look at both the good and bad factors that have resulted from the previous steps and taking a look at how everything can be improved. 

Address Risks

At this stage in the process, the assessment will require addressing and managing any risks that have been identified. For example, if it is found that the project is in breach of one of the privacy principles, then this will be noted down as a potential risk. 

Any kind of risk should be looked at in terms of proportionality and necessity to the project. All risk management practices need to be portopinate to achieving the objectives of the project as well as necessary in maintaining a strong standard for privacy.  


If potential risks have been identified, then one of the last parts of the process is to list any recommendations that can help overcome these challenges. The recommendations are not binding in any way, however, taking them seriously could be the difference between having a project that is legally compliant and one that is not. 

Privacy Impact Assessment Report

Finally, all the findings of the previous steps will be gathered into a single document – the privacy impact assessment report. The report will provide a detailed overview of the risks and recommendations as well as any other information.

Even once you have taken a look at the report and made adjustments according to the recommendations, it’s still highly advisable to keep hold of the document and keep track of any changes that were made in light of it.    

Respond And Review

The most important part of the privacy impact assessment comes at the end of the process, where it is your responsibility to review the report and respond to it accordingly. 

The changes might vary from minor changes to even major alterations. However, it’s important to ensure that your business is not only legally compliant with privacy regulations, but is also doing its best to retain the trust of its customers by taking their privacy seriously. With this in mind, it’s important to review that report and make any necessary changes. 

For a more detailed overview of how a Privacy Impact Assessment works, click here

What Are My Other Privacy Obligations?

As we mentioned before, the Australian Privacy Principles are important for businesses to understand and adhere to as it contains important information regarding how businesses should handle the private data they collect. 

According to the APPs, any business that collects private information from their customers such as their name, address, phone number or email must have a Privacy Policy in place.  

A Privacy Policy lets customers know which parts of their data are being collected, what is being done with it and how it’s being stored. Consumers have a right to know this information, so it’s vital that you remain transparent about your business practices.  

Key Takeaways

Security and privacy are a huge concern for businesses that are operating online. Undertaking a Privacy Impact Assessment can help combat any issues and keep your business legally compliant at the same time. To summarise what we’ve discussed:

  • A PIA is an analysis of future or current online security measures for a project
  • It helps businesses adhere to their privacy obligations and secure the information of their customers
  • It’s best to get an assessment done at the beginning of a project, however, it can be done at anytime
  • The OAIC is the main regulatory body for these matters
  • Other ways to maintain security include taking cyber security measures and getting a data breach response plan
  • There are a number of steps when undertaking a Privacy Impact Assessment, however it is not a rigid process that must be followed the exact same way  
  • A privacy policy may also be required

If your business is engaging in activity that is likely to impact the privacy of individuals, it’s always wise to have a Privacy Impact Assessment Plan. This plan usually details certain recommendations for minimising any impact of your business activities on the privacy of individuals.

If you would like a consultation on undertaking a Privacy Impact Assessment, you can reach us at 1800 730 617 or for a free, no-obligations chat.

About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Articles
Is ChatGPT Copyright Free?