How to Perform a Privacy Impact Assessment (PIA)


In today’s digital-first environment, protecting personal data is not only a legal duty — it’s a foundation of public trust. Conducting a Privacy Impact Assessment (PIA) helps organizations in the Philippines uphold their responsibilities under Republic Act No. 10173 (Data Privacy Act of 2012) and prepare for potential privacy risks in their projects and systems.

 

 

Why PIAs Matter in the Philippine Setting?

  • Legal Compliance: RA 10173 requires entities to implement measures that ensure transparency, legitimate processing, and data subject rights.
  • Risk Management: A PIA identifies weak points in your data lifecycle before harm occurs.
  •  Stakeholder Confidence: Conducting a PIA shows clients, citizens, and partners that you care about privacy and data protection.


When Should You Conduct a PIA?


Under NPC guidelines, a PIA is recommended whenever your organization plans to:

  • Launch a system involving automated or large-scale personal data processing
  • Use or adopt new technologies (e.g., biometrics, AI, surveillance)
  • Make significant changes to how personal data is collected or processed
  • Share personal data with third parties or cross-border recipients

A good practice is to treat PIAs not as one-time tasks, but as living tools — to be updated whenever changes in processing occur.

 

Step-by-Step Guide to Performing a PIA


Step 1: Define the Scope and Purpose


Start by identifying:

  • What is the system/project?
  • What personal data will be involved (e.g., names, addresses, IDs, biometric data)?
  • What are the goals, legal bases, and expected outcomes?

 Tip: Align your purpose with the general data privacy principles — transparency, legitimate purpose, and proportionality.

 

Step 2: Map the Data Flow


Trace how personal data will move through your system. Consider:

  • Where and how is data collected (e.g., online forms, kiosks)?
  • Where is it stored (e.g., local servers, cloud)?
  • Who has access?
  • Is it transferred externally (e.g., to a vendor or agency)?

Create a flowchart to visualize these steps — this helps reveal where risks may appear.

 

Step 3: Identify and Analyze Risks


Ask:

  • Could this project expose data subjects to harm (e.g., identity theft, profiling)?
  • Are there technical or organizational gaps (e.g., poor encryption, lack of policies)?

Use both qualitative and quantitative tools (e.g., surveys, threat modeling, impact scoring) to assess potential threats.

 

Step 4: Evaluate Current Controls


Review existing safeguards:

  • Are there access restrictions?
  • Are personal data encrypted or anonymized?
  • Are there policies on data retention, breach reporting, or incident response?

 This step lets you check whether current safeguards are adequate or if enhancements are needed.


Step 5: Recommend and Plan Mitigation


For each risk, propose risk-reduction strategies:

  • Add authentication or encryption protocols
  • Update consent and privacy notices
  • Train staff in proper data handling
  • Minimize data collection when not essential

 Consider the proportionality principle — only collect what’s necessary.

 

Step 6: Document and Implement Measures


Compile your findings and recommendations into a formal PIA report. This becomes part of your privacy management program and may be reviewed by the Data Protection Officer (DPO) or shared with the NPC, if needed.


Make sure:

  • Key staff understand their roles
  • Policies and systems are updated
  • Monitoring mechanisms are in place


Step 7: Monitor, Review, and Update


Privacy risks evolve. After implementation:

  • Schedule periodic reviews
  • Re-assess when new tools or vendors are introduced
  • Adjust based on emerging threats or regulatory updates

 The NPC recommends regular updates, especially when processing practices change.


A well-executed Privacy Impact Assessment strengthens your organization’s privacy posture, supports regulatory compliance, and builds public trust. Whether you're in government, the private sector, or civil society, conducting PIAs ensures you're protecting not only personal data — but also the dignity and rights of every Filipino.

Need a Template or Tool?

Message Philippine Data Guardians for downloadable templates and automated PIA tools designed for Data Privacy Act of 2012.


Click the icon below for PIA Tool.