What are the steps to run a privacy impact assessment before a new system starts collecting personal data?
A privacy impact assessment (PIA) is a structured review that identifies how a new system will collect, use, store, share, and dispose of personal data, and what risks those activities create. Running it before the system goes live lets you design protections in rather than retrofit them. The following steps describe a sound, principle-based process.
1. Determine whether a PIA is needed
Confirm the system will collect or process personally identifiable information (PII). If it will, a PIA is generally required. Screen early, during planning or procurement, so privacy is built into the design rather than added later.
2. Map the data flows
Document what personal data will be collected, why it is needed, where it comes from, who will access it, where it is stored, with whom it is shared, and how long it will be retained. Diagramming the full lifecycle (collection through disposition) makes hidden flows visible.
3. Identify the authority and purpose
Establish the legal or business basis for collecting the data and define a specific, limited purpose. Apply data minimization: collect only what the purpose requires, and avoid retaining data longer than necessary.
4. Assess privacy risks
Evaluate risks such as unauthorized access, excessive collection, inaccurate records, unclear retention, or sharing without a basis. Consider impacts on individuals, not just the organization.
5. Define controls and mitigations
For each risk, specify safeguards: access restrictions, encryption, notice to individuals, consent or opt-out mechanisms where appropriate, accuracy and correction procedures, and a defined retention and disposition schedule.
6. Document, review, and approve
Record findings, residual risks, and decisions in a written PIA. Have privacy, legal, security, and records management stakeholders review it, and obtain sign-off from an accountable official before the system collects data.
7. Monitor and revisit
Treat the PIA as a living document. Reassess whenever the system, data, or sharing arrangements change materially.
Why it matters
A PIA ties privacy decisions to recordkeeping: defining purpose, access, and retention up front supports both compliance and good information governance. Frameworks like the NIST Privacy Framework offer a flexible model for identifying and managing these risks.
For related guidance, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- Privacy Act of 1974 — U.S. Department of Justice
How to cite this page
APA
RM University Editorial. (2026). What are the steps to run a privacy impact assessment before a new system starts collecting personal data?. Records Management University. https://www.recordsmgmt.org/questions/how-to-run-a-privacy-impact-assessment-before-a-new-system-collects-personal-data/
MLA
RM University Editorial. "What are the steps to run a privacy impact assessment before a new system starts collecting personal data?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-to-run-a-privacy-impact-assessment-before-a-new-system-collects-personal-data/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?