Evaluating privacy impact assessment methods: guidelines and best practice

Konstantina Vemou (Department of Information and Communication Systems Engineering, University of the Aegean, Samos, Greece)
Maria Karyda (Department of Information and Communication Systems Engineering, University of the Aegean, Samos, Greece)

Information and Computer Security

ISSN: 2056-4961

Publication date: 26 August 2019



This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and privacy research.


This paper critically reviews and assesses generic PIA methods proposed by related research, data protection authorities and standard’s organizations, to identify best practices and practically support PIA practitioners. To address identified gaps, best practices from privacy literature are proposed.


This paper proposes a PIA process based on best practices, as well as an evaluation framework for existing PIA guidelines, focusing on practical support to PIA practitioners.

Practical implications

The proposed PIA process facilitates PIA practitioners in organizing and implementing PIA projects. This paper also provides an evaluation framework, comprising a comprehensive set of 17 criteria, for PIA practitioners to assess whether PIA methods/guidelines can adequately support requirements of their PIA projects (e.g. special legal framework and needs for PIA project organization guidance).


This research extends PIA guidelines (e.g. ISO 29134) by providing comprehensive and practical guidance to PIA practitioners. The proposed PIA process is based on best practices identified from evaluation of nine commonly used PIA methods, enriched with guidelines from privacy literature, to accommodate gaps and support tasks that were found to be inadequately described or lacking practical guidance.



Vemou, K. and Karyda, M. (2019), "Evaluating privacy impact assessment methods: guidelines and best practice", Information and Computer Security, Vol. 28 No. 1, pp. 35-53. https://doi.org/10.1108/ICS-04-2019-0047



Emerald Publishing Limited

Copyright © 2019, Emerald Publishing Limited

To read the full version of this content please select one of the options below

You may be able to access this content by logging in via Shibboleth, Open Athens or with your Emerald account.
To rent this content from Deepdyve, please click the button.
If you think you should have access to this content, click the button to contact our support team.