When to do a PIA?
Making any change to specifications, and fixing any error, requires re-work which incurs delays and costs, and because it is error-prone it risks even more work afterwards. The cost of making changes increases rapidly the later in the project they are made. Therefore, privacy protective features should be designed into a system, rather than bolted-on later.
In order to achieve that, the following guidelines are suggested.
- Start early to ensure that project risks are identified and appreciated before the problems become embedded in the design.
- Commence a PIA as part of the project initiation phase (or its equivalent in whichever project method the organisation uses).
- If the project is already under way, start today, so that any major issues are identified with the minimum possible delay.
While a PIA should be conducted at an early stage of a project, compliance checks, on the other hand, are usually performed later, after business processes and rules have been specified sufficiently so that they can be assessed for their compliance with the law. Organisations are likely to find it more effective to integrate the PIA within the project plan as a whole, or within broader risk assessment and risk management activities.
The most beneficial and cost-effective approach may be to conceive of the PIA as:
- a cyclical process;
- linked to the project’s own life-cycle; and
- re-visited in each new project phase.
Each version can then take account of both the more detailed specifications that are currently available for the scheme, and the outcomes of previous phases of the PIA. More specifically, later versions can correspond with the later phases of the project (eg requirements analysis, logical design, physical design, construction, integration and deployment of the new system, or their equivalents in whichever project method the organisation uses).