SIST EN ISO/IEC 29134:2020

SLOVENSKI STANDARD
01-maj-2020
Informacijska tehnologija - Varnostne tehnike - Smernice za ocenjevanje vpliva na
zasebnost (ISO/IEC 29134:2017)
Information technology - Security techniques - Guidelines for privacy impact assessment
(ISO/IEC 29134:2017)
Informationstechnik - Sicherheitsverfahren - Datenschutz-Folgenabschätzung - Leitfaden
(ISO/IEC 29134:2017)
Technologies de l'information - Techniques de sécurité - Lignes directrices pour
l'évaluation d'impacts sur la vie privée (ISO/IEC 29134:2017)
Ta slovenski standard je istoveten z: EN ISO/IEC 29134:2020
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN ISO/IEC 29134
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2020
ICS 35.030
English version
Information technology - Security techniques - Guidelines
for privacy impact assessment (ISO/IEC 29134:2017)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Lignes directrices pour l'évaluation d'impacts sur la Datenschutz-Folgenabschätzung - Leitfaden (ISO/IEC
vie privée (ISO/IEC 29134:2017) 29134:2017)
This European Standard was approved by CEN on 2 March 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 29134:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 29134:2017 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by September 2020, and conflicting national standards
shall be withdrawn at the latest by September 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 29134:2017 has been approved by CEN as EN ISO/IEC 29134:2020 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 29134
First edition
2017-06
Information technology — Security
techniques — Guidelines for privacy
impact assessment
Technologies de l’information — Techniques de sécurité — Lignes
directrices pour l’évaluation d’impacts sur la vie privée
Reference number
ISO/IEC 29134:2017(E)
©
ISO/IEC 2017
ISO/IEC 29134:2017(E)
© ISO/IEC 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved

ISO/IEC 29134:2017(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Preparing the grounds for PIA . 4
5.1 Benefits of carrying out a PIA. 4
5.2 Objectives of PIA reporting . 5
5.3 Accountability to conduct a PIA . 5
5.4 Scale of a PIA . 6
6 Guidance on the process for conducting a PIA . 6
6.1 General . 6
6.2 Determine whether a PIA is necessary (threshold analysis) . 7
6.3 Preparation of the PIA . 7
6.3.1 Set up the PIA team and provide it with direction . 7
6.3.2 Prepare a PIA plan and determine the necessary resources for conducting
the PIA . . 9
6.3.3 Describe what is being assessed .10
6.3.4 Stakeholder engagement .11
6.4 Perform the PIA .13
6.4.1 Identify information flows of PII .13
6.4.2 Analyse the implications of the use case .14
6.4.3 Determine the relevant privacy safeguarding requirements .15
6.4.4 Assess privacy risk .16
6.4.5 Prepare for treating privacy risks .19
6.5 Follow up the PIA .23
6.5.1 Prepare the report .23
6.5.2 Publication .24
6.5.3 Implement privacy risk treatment plans .24
6.5.4 Review and/or audit of the PIA.25
6.5.5 Reflect changes to the process .26
7 PIA report .26
7.1 General .26
7.2 Report structure .27
7.3 Scope of PIA .27
7.3.1 Process under evaluation .27
7.3.2 Risk criteria .29
7.3.3 Resources and people involved .29
7.3.4 Stakeholder consultation .29
7.4 Privacy requirements .29
7.5 Risk assessment .29
7.5.1 Risk sources .29
7.5.2 Threats and their likelihood .29
7.5.3 Consequences and their level of impact .30
7.5.4 Risk evaluation .30
7.5.5 Compliance analysis .30
7.6 Risk treatment plan .30
7.7 Conclusion and decisions .30
7.8 PIA public summary .30
Annex A (informative) Scale criteria on the level of impact and on the likelihood.32
© ISO/IEC 2017 – All rights reserved iii

ISO/IEC 29134:2017(E)
Annex B (informative) Generic threats .34
Annex C (informative) Guidance on the understanding of terms used .38
Annex D (informative) Illustrated examples supporting the PIA process .40
Bibliography .42
iv © ISO/IEC 2017 – All rights reserved

ISO/IEC 29134:2017(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: w w w . i s o .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
© ISO/IEC 2017 – All rights reserved v

ISO/IEC 29134:2017(E)
Introduction
A privacy impact assessment (PIA) is an instrument for assessing the potential impacts on privacy of a
process, information system, programme, software module, device or other initiative which processes
personally identifiable information (PII) and, in consultation with stakeholders, for taking actions as
necessary in order to treat privacy risk. A PIA report may include documentation about measures taken
for risk treatment, for example, measures arising from the use of the information security management
system (ISMS) in ISO/IEC 27001. A PIA is more than a tool: it is a process that begins at the earliest
possible stages of an initiative, when there are still opportunities to influence its outcome and thereby
ensure privacy by design. It is a process that continues until, and even after, the project has been
deployed.
Initiatives vary substantially in scale and impact. Objectives falling under the heading of “privacy”
will depend on culture, societal expectations and jurisdiction. This document is intended to provide
scalable guidance that can be applied to all initiatives. Since guidance specific to all circumstances
cannot be prescriptive, the guidance in this document should be interpreted with respect to individual
circumstance.
A PII controller may have a responsibility to conduct a PIA and may request a PII processor to assist in
doing this, acting on the PII controller’s behalf. A PII processor or a supplier may also wish to conduct
their own PIA.
A supplier’s PIA information is especially relevant when digitally connected devices are part of the
information system, application or process being assessed. It may be necessary for suppliers of such
devices to provide privacy-relevant design information to those undertaking the PIA. When the
provider of digital devices is unskilled in and not resourced for PIAs, for example:
— a small retailer, or
— a small and medium-sized enterprise (SME) using digitally connected devices in the course of its
normal business operations,
then, in order to enable it to undertake minimal PIA activity, the device supplier may be called upon to
provide a great deal of privacy information and undertake its own PIA with respect to the expected PII
principal/SME context for the equipment they supply.
A PIA is typically conducted by an organization that takes its responsibility seriously and treats PII
principals adequately. In some jurisdictions, a PIA may be necessary to meet legal and regulatory
requirements.
This document is intended to be used when the privacy impact on PII principals includes consideration
of processes, information systems or programmes, where:
— the responsibility for the implementation and/or delivery of the process, information system or
programme is shared with other organizations and it should be ensured that each organization
properly addresses the identified risks;
— an organization is performing privacy risk management as part of its overall risk management effort
while preparing for the implementation or improvement of its ISMS (established in accordance with
ISO/IEC 27001 or equivalent management system); or an organization is performing privacy risk
management as an independent function;
— an organization (e.g. government) is undertaking an initiative (e.g. a public-private-partnership
programme) in which the future PII controller organization is not known yet, with the result that
the treatment plan could not get implemented directly and, therefore, this treatment plan should
become part of corresponding legislation, regulation or the contract instead;
— the organization wants to act responsible towards the PII principals.
vi © ISO/IEC 2017 – All rights reserved

ISO/IEC 29134:2017(E)
Controls deemed necessary to treat the risks identified during the privacy impact analysis process
may be derived from multiple sets of controls, including ISO/IEC 27002 (for security controls) and
ISO/IEC 29151 (for PII protection controls) or comparable national standards, or they may be defined
by the person responsible for conducting the PIA, independently of any other control set.
© ISO/IEC 2017 – All rights reserved vii

INTERNATIONAL STANDARD ISO/IEC 29134:2017(E)
Information technology — Security techniques —
Guidelines for privacy impact assessment
1 Scope
This document gives guidelines for
— a process on privacy impact assessments, and
— a structure and content of a PIA report.
It is applicable to all types and sizes of organizations, including public companies, private companies,
government entities and not-for-profit organizations.
This document is relevant to those involved in designing or implementing projects, including the parties
operating data processing systems and services that process PII.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO Guide 73:2009, Risk management — Vocabulary
ISO/IEC 27000:2016, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 29100:2011, Information technology — Security techniques — Privacy framework
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 29100, ISO/IEC 27000,
ISO Guide 73 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
3.1
acceptance statement
formal management declaration to assume responsibility for risk ownership, risk treatment and
residual risk
3.2
asset
anything that has value to anyone involved in the processing of personally identifiable information (PII)
Note 1 to entry: In the context of a privacy risk management process, an asset is either PII or a supporting asset.
© ISO/IEC 2017 – All rights reserved 1

ISO/IEC 29134:2017(E)
3.3
assessor
person who leads and conducts a privacy impact assessment (3.7)
Note 1 to entry: The assessor may be supported by one or more other internal and/or external experts as part of
their team.
Note 2 to entry: The assessor may be an expert internal or external to the organization.
3.4
process
set of interrelated or interacting activities which transforms inputs into outputs
[SOURCE: ISO/IEC Directives, Part 1, Consolidated ISO Supplement : 2014, 3 .12]
3.5
device
combination of hardware and software, or solely software, that allows a user to perform actions
3.6
privacy impact
anything that has an effect on the privacy of a PII principal and/or group of PII principals
Note 1 to entry: The privacy impact could result from the processing of PII in conformance or in violation of
privacy safeguarding requirements.
3.7
privacy impact assessment
PIA
overall process of identifying, analysing, evaluating, consulting, communicating and planning the
treatment of potential privacy impacts with regard to the processing of personally identifiable
information, framed within an organization’s broader risk management framework
Note 1 to entry: Adapted from ISO/IEC 29100:2011, 2.20.
3.8
privacy risk map
diagram that indicates the level of impact and likelihood of privacy risks identified
Note 1 to entry: The map is typically used to determine the order in which the privacy risks should be treated.
3.9
programme
group of projects managed in a coordinated way to obtain benefits not available from managing them
individually
[SOURCE: ISO 14300-1:2011, 3.2]
3.10
project
unique process, consisting of a set of coordinated and controlled activities with start and finish dates,
undertaken to achieve an objective conforming to specific requirements, including the constraints of
time, cost and resources
[SOURCE: ISO 9000:2015, 3.4.2]
2 © ISO/IEC 2017 – All rights reserved

ISO/IEC 29134:2017(E)
3.11
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
[SOURCE: ISO/IEC Directives, Part 1, Consolidated ISO Supplement : 2014, 3 . 01]
3.12
severity
estimation of the magnitude of potential impacts on the privacy of a PII principal
3.13
system
information system
applications, services, information technology assets, or other information handling components
[SOURCE: ISO/IEC 27000:2016, 2.39]
3.14
stakeholder
person or organization that can affect, be affected by, or perceive itself to be affected by a decision or
activity
Note 1 to entry: Includes PII principals, management, regulators and customers.
Note 2 to entry: Consultation with stakeholders is integral to a PIA.
[SOURCE: ISO/IEC Directives, Part 1, Consolidated ISO Supplement: 2014, 3.02 – modified – The preferred
term “interested party” has been removed from this entry.]
3.15
technology
hardware, software, and firmware systems and system elements including, but not limited to, information
technology, embedded systems, or any other electro-mechanical or processor-based systems
[SOURCE: ISO/IEC 16509:1999, 3.3]
4 Abbreviated terms
API application programming interface
BYOD bring your own device
ICT information and communication technologies
ISMS information security management system
PII personally identifiable information
SME small and medium-sized enterprises
© ISO/IEC 2017 – All rights reserved 3

ISO/IEC 29134:2017(E)
5 Preparing the grounds for PIA
5.1 Benefits of carrying out a PIA
This document provides guidance that can be adapted to a wide range of situations where PII is
processed. However, in general, a PIA can be carried out for the purpose of:
— identifying privacy impacts, privacy risks and responsibilities;
— providing input to design for privacy protection (sometimes called privacy by design);
— reviewing a new information system’s privacy risks and assessing its impact and likelihood;
— providing the basis for the provision of privacy information to PII principals on any PII principal
mitigation action recommended;
— maintaining later updates or upgrades with additional functionality likely to impact the PII that are
handled;
— sharing and mitigating privacy risks with stakeholders, or providing evidence relating to compliance.
NOTE A PIA is sometimes referred to by other terms, for example, a “privacy review” or a “data protection
impact assessment”. These particular instances of a PIA could come with specific implications for both process
and reporting.
A PIA has often been described as an early warning system. It provides a way to detect potential
privacy risks arising from the processing of PII and thereby informing an organization of where they
should take precautions and build tailored safeguards before, not after, the organization makes heavy
investments. The costs of amending a project at the planning stage will usually be a fraction of those
incurred later on. If the privacy impact is unacceptable, the project may even have to be cancelled
altogether. Thus, a PIA helps to identify privacy issues early and/or to reduce costs in management
time, legal expenses and potential media or public concern by considering privacy issues early. It may
also help an organization to avoid costly or embarrassing privacy mistakes.
Although a PIA should be more than simply a compliance check, it does nevertheless contribute to an
organization’s demonstration of its compliance with relevant privacy and data protection requirements
in the event of a subsequent complaint, privacy audit or compliance investigation. In the event of
a privacy risk or breach occurring, the PIA report can provide evidence that the organization acted
appropriately in attempting to prevent the occurrence. This can help to reduce or even eliminate any
liability, negative publicity and loss of reputation.
An appropriate PIA also demonstrates to an organization’s customers and/or citizens that it respects
their privacy and is responsive to their concerns. Customers or citizens are more likely to trust an
organization that performs a PIA than one that does not.
A PIA enhances informed decision-making and exposes internal communication gaps or hidden
assumptions on privacy issues about the project. A PIA is a tool to undertake the systematic analysis of
privacy issues arising from a project in order to inform decision makers. A PIA can be a credible source
of information.
A PIA enables an organization to learn about the privacy pitfalls of a process, information system or
programme upfront, rather than having its auditors or competitors point them out. A PIA assists in
anticipating and responding to the public’s privacy concerns.
A PIA can help an organization gain the public’s trust and confidence that privacy has been built into
the design of a process, information system or programme.
Trust is built on transparency, and a PIA is a disciplined process that promotes open communications,
common understanding and transparency. An organization that undertakes a PIA demonstrates to its
employees and contractors that it takes privacy seriously and expects them to do so too. A PIA is a way
of educating employees about privacy and making them alert to privacy problems that might damage
4 © ISO/IEC 2017 – All rights reserved

ISO/IEC 29134:2017(E)
the organization. It is a way to affirm the organization’s values. A PIA can be used as an indication of
due diligence and may reduce the number of customer audits.
5.2 Objectives of PIA reporting
The PIA reporting objective is to communicate assessment results to stakeholders. Expectations from a
PIA exist from multiple stakeholders.
The following are typical examples of stakeholders and their expectations.
— PII principal – PIA is an instrument to enable subjects of PII to have assurance that their privacy is
being protected.
— Management – Several viewpoints apply with
— PIA as an instrument to manage privacy risks, create awareness and establish accountability;
visibility over PII processing within the organization, and possible risks and impacts of the
same; inputs to business or product strategy;
— Building the PIA into the earliest stages of the project ensures the privacy requirements are
included in the functional and non-functional requirements, are achievable, viable and traced
through change and risk management and may result in the project not happening or being
cancelled. The effort to classify and manage project PII should be funded as a separate investment
line item and amount in a project or programme budget, acceptable to all stakeholders;
— PIA as an opportunity to better understand privacy requirements and assess activities against
these requirements; inputs for product or service design and delivery; reviewed and amended
through the change management process after delivery;
— PIA as an instrument to understand the privacy risks at the function/project/unit level;
consolidation of risks; input to privacy policy design and enforcement mechanisms; inputs for
re-engineering privacy processes.
— Regulator – PIA is an instrument that contributes evidence supporting compliance with applicable
legal requirements. It can provide evidence of due diligence taken by the organization in case of
breach, non-compliance, complaint, etc.
— Customer – PIA is a means to assess how the PII processor or PII controller is handling PII and
provides evidence that it follows the contractual obligations.
PIA reporting should fulfil two basic functions. The first (Inventory) keeps the specific stakeholders
informed of identified affected entities, affected environment and privacy risks about the life cycle
of the affected entities, whether it is inherent or mitigated. The second (Action items) is a tracking
mechanism on the actions/tasks that improve and/or resolve the identified privacy risks. Sensitivity
to the distribution and release of the reporting information needs to be clearly assessed and classified
(private, confidential, public, etc.).
5.3 Accountability to conduct a PIA
A PIA should be undertaken of processes or information systems by one of a number of different entities
within the organization, but may also be carried out on a process, information system or programme by
consumer organizations or non-governmental organizations.
Typically, the responsibility for ensuring that a PIA is undertaken should, in the first instance, lie
with the person in charge of PII protection, otherwise with the project manager developing the new
technology, service or other initiative that may impact privacy.
Accountability for ensuring the PIA is undertaken and the quality of the result (PIA accountability)
should lie with the top management of the PII controller. The person who has been assigned
responsibility for conducting the PIA may conduct it themselves, may enlist the help of other internal
© ISO/IEC 2017 – All rights reserved 5

ISO/IEC 29134:2017(E)
and/or external stakeholders or may contract an independent third party to do the work. There are
advantages and disadvantages to each approach.
However, when the PIA is performed directly by the organization, end-user associations or governmental
agencies may request to have the PIA’s adequacy verified by an independent auditor.
The organization should ensure that there is accountability and authority for managing privacy
risks, including the implementation and maintenance of the privacy risk management process and for
ensuring the adequacy and effectiveness of any controls. This can be facilitated by
— specifying who is accountable for the development, implementation and maintenance of the
framework for managing privacy risk, and
— specifying risk owners for implementing privacy risk treatment, maintaining privacy controls and
reporting of relevant privacy risk information.
5.4 Scale of a PIA
The scale of the PIA will depend on how significant the impacts are assumed to be. For example, if the
impacts are assumed to affect only employees of the organization (e.g. the organization may wish to
improve its access control by means of a biometric such as a thumbprint from each employee), then the
PIA could engage only employee representatives and be relatively small scale. However, if a government
department wishes to introduce a new identity management system for all citizens, it will need to
conduct a much larger PIA involving a wide range of external stakeholders.
Organizations should provide self-assessment on the required scale of the PIA, in compliance with laws
and regulations. The amount and granularity of the PII per person, the degree of sensitivity of PII, the
number of PII principals and the number of people who have access to the PII that will be processed are
the critical factors in determining this scale.
In the case of SMEs, non-profit or governmental organizations, the determination of the appropriate
scale of the PIA can be jointly, but not bindingly, achieved by the person conducting a PIA (as per 5.3),
the SME’s senior management and/or advice from external experts as appropriate.
6 Guidance on the process for conducting a PIA
6.1 General
The scope of a PIA, the specific details of what it covers and how it is conducted all need to be adapted
to the size of the organization, the local jurisdiction and the specific programme, information system or
process that is the subject of the PIA. In Clause 6,
— the “Objective” is something that should be achieved,
— the “Input” provides guidance about what information may be needed to achieve the “Objective”,
— the “Expected output” is the recommended target for the “Actions”,
— “Actions”, or their equivalents, are guidance on activities that may need to be carried out to achieve
the “Objective” and create the recommended “Expected output”, and
— “Implementation Guidance” provides more details of matters that may need to be considered in
performing the “Actions”.
The “Actions” in this clause, or equivalents, adapted to the desired scope and scale of a PIA may be
implemented stand-alone by an organization. They are intended to form a reasonable basis for planning,
implementing and following up the PIA in a wide range of circumstances.
The organization conducting a PIA process may wish to directly adapt the process guidance below to its
specific PIA scale and scope or as one possible alternative to select a suitable risk-based management
6 © ISO/IEC 2017 – All rights reserved

ISO/IEC 29134:2017(E)
system, such as ISO/IEC 27001, and integrate into it appropriately adapted elements of the guidance
below, including the use of the PIA report (see Clause 7) to treat the privacy risks it identifies.
In this document, the term “conducting a PIA” is used to cover both an initial PIA where the necessary
steps and actions are selected to match the particular PIA requirement and an update to an existing PIA
where only the steps and actions necessary for the update are carried out.
Annex C provides further guidance on the understanding of terms used in this document.
To support SMEs in the PIA process, industry associations or bodies of SMEs should be encouraged
to draw up codes of conduct providing valuable guidelines, and SMEs should be encouraged to take
part in these activities. Reasonable codes of conduct would have to respect the values set forth in this
document and could be endorsed by data protection authorities.
6.2 Determine whether a PIA is necessary (threshold analysis)
Objective: To determine whether a new or updated PIA is necessary.
Input: Information about the programme, information system or process under assessment.
Expected output: Threshold analysis result, and mandate to prepare a new or updated PIA if required,
terms of reference and scope of the PIA decided.
Actions:
The organization’s management should decide if a new or updated PIA is required.
If a new or updated PIA is required, the organization’s management, in conjunction with the assessor
to be, should define the terms of reference and determine the boundaries and applicability of the PIA
to establish its scope. The organization should also decide on and document the scale of the PIA, the
process to be used to perform the PIA, and on the target audiences, hence the nature and contents of the
PIA reports to be produced.
Output of this process in terms of the threshold analysis result and the PIA scope and terms of reference
should be documented in the PIA report (see 7.2).
Implementation Guidance:
An organization should conduct a new or updated PIA if it perceives impacts on privacy from
— a new or prospective technology, service or other initiative where PII is, or is to be, processed,
— a decision that sensitive PII (see ISO/IEC 29100:2011, 2.26) is going to be processed,
— changes in applicable privacy related laws and regulations, internal policy and standards,
information system operation, purposes and means for processing data, new or changed data flows,
etc., and
— business expansion or acquisitions.
An organization may wish to establish a policy setting out thresholds for triggering a new or updated
PIA and initial technical and organizational measures to apply. Such a policy should take account of any
applicable issues from those listed above, setting boundaries within which processing of PII may be
developed and operated without triggering a new PIA.
6.3 Preparation of the PIA
6.3.1 Set up the PIA team and provide it with direction
Objective: To determine the scope of the PIA and the needed expertise and to formulate the terms
of reference for conducting the PIA.
© ISO/IEC 2017 – All rights reserved 7

ISO/IEC 29134:2017(E)
Input: Mandate to prepare a PIA (see 6.2).
Expected output: Responsible person appointed, risk criteria.
Actions:
A person responsible for conducting a PIA (the assessor) should be identified and appointed by the
organization. The organization should also appoint the person accountable for signing off the PIA report.
The assessor should define the risk criteria and ensure that senior management agrees with the risk
criteria to be used to evaluate the significance of risk. These criteria may be based on those shown in
Annex A, or they may be defined separately by the organization, together with the criteria on how to
estimate the level of impact and the risk with their respective scales. The assessor should also identify
the criteria for risk acceptance and ensure that senior management agrees with these criteria.
Output of this process in terms of the risk criteria should be documented in the PIA report (see 7.3.2)
and resources (see 7.3.3).
Implementation Guidance:
The criteria should reflect the organization’s values, objectives and resources. When defining risk
criteria, the assessor should consider the following factors:
— legal and regu
...