Whose job is it to run a privacy impact assessment before a new system that collects personal data goes live?
A privacy impact assessment (PIA) is not a single person’s task. It is a shared responsibility, but accountability ultimately rests with the official who owns the system or program that collects the personal data. That owner cannot skip the assessment simply because privacy staff exist; their job is to ensure it happens before launch.
The system or program owner is accountable
The person or office sponsoring the new system — often called the business owner, program manager, or system owner — is accountable for making sure a PIA is completed and that its recommendations are addressed before the system goes live. They decide what data will be collected, why, and how it will be used, so they are best positioned to describe the privacy risks honestly.
Privacy and other specialists do the analysis
In most organizations, dedicated privacy staff lead the substance of the assessment:
- A privacy officer (in federal agencies, often a Senior Agency Official for Privacy or Chief Privacy Officer) guides the methodology and signs off.
- Information security staff evaluate how the data will be protected.
- Records management staff confirm retention, disposition, and recordkeeping obligations are met.
- Legal counsel checks applicable laws and authorities for collecting the data.
These roles supply expertise, but they advise the owner rather than absorb the owner’s accountability.
Why timing matters
The assessment must happen before the system goes live, while the design can still change. A PIA done after launch can only document risk, not prevent it. Building privacy considerations in early — sometimes called privacy by design — is far cheaper and more effective than retrofitting controls later.
A practical rule of thumb
If you are the one deciding to stand up a system that touches personal data, treat the PIA as your deliverable. Convene the privacy, security, legal, and records experts, document the analysis, and resolve the risks they identify before you turn the system on.
For frameworks and related guidance, see the privacy and PII topic hub.
Organizations vary in titles and structure, so confirm the specific roles and approval steps defined in your own privacy program before relying on this general guidance.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- Privacy Act of 1974 — U.S. Department of Justice
How to cite this page
APA
RM University Editorial. (2026). Whose job is it to run a privacy impact assessment before a new system that collects personal data goes live?. Records Management University. https://www.recordsmgmt.org/questions/whose-job-is-it-to-run-a-privacy-impact-assessment/
MLA
RM University Editorial. "Whose job is it to run a privacy impact assessment before a new system that collects personal data goes live?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/whose-job-is-it-to-run-a-privacy-impact-assessment/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?