ISO/IEC INTERNATIONAL 29134 STANDARD Second edition 2023-05 Information technology Security techniques - Guidelines for privacy impact assessment Technologies de I'information - Techniques de sécurité - Lignes directrices pour I'étude d'impacts sur la vie privée Reference number IEC ISO/IEC 29134:2023(E) OSI @ IS0/IEC 2023 IS0/IEC 29134:2023(E) COPYRIGHT PROTECTED DOCUMENT @ IS0/IEC 2023 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either IsO at the address below or ISO's member body in the country of the requester. ISO copyright office CP 40i : Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11 Email: [email protected] Website: www.iso.org Published in Switzerland ii @ IS0/IEC 2023 - All rights reserved IS0/IEC 29134:2023(E) @ Contents Page Foreword. ..V Introduction. vi 1 Scope. 1 2 Normative references .1 3 Terms and definitions. .1 4 3 Abbreviated terms. 5 Preparing the grounds for PIA .4 5.1 Benefits of carrying out a PIA 4 5.2 .5 Objectives of PIA reporting 5.3 Accountability to conduct a PIA 5 5.4 Scale of a PIA 6 Guidance on the process for conducting a PIA .6 6 6.1 General 6 6.2 Determine whether a PIA is necessary (threshold analysis) .7 6.3 Preparation of the PIA 7 Set up the PIA team and provide it with direction. .7 6.3.1 Prepare a PIA plan and determine the necessary resources for conducting 6.3.2 the PIA 9 6.3.3 Describe what is being assessed 10 Stakeholder engagement 6.3.4 11 6.4 Perform the PIA 13 6.4.1 Identify information flows of PII. 13 6.4.2 14 Analyse the implications of the use case Determine the relevant privacy safeguarding requirements. 6.4.3 15 6.4.4 16 Assess privacy risk Prepare for treating privacy risks. 19 6.4.5 Follow up the PIA 6.5 23 6.5.1 Prepare the report 23 6.5.2 Publication 24 6.5.3 Implement privacy risk treatment plans 24 6.5.4 Review and/or audit of the PIA 25 6.5.5 Reflect changes to the process. 26 PIA report. 26 7 7.1 General 26 7.2 Report structure. 27 7.3 27 Scope of PIA 7.3.1 Process under evaluation 27 7.3.2 Risk criteria 29 7.3.3 Resources and people involved 29 29 7.3.4 Stakeholder consultation, 7.4 Privacy requirements. 29 7.5 Risk assessment. 29 7.5.1 29 Risk sources 7.5.2 Threats and their likelihood 29 7.5.3 Consequences and their level of impact. 30 7.5.4 Risk evaluation. .30 7.5.5 Compliance analysis .30 7.6 Risk treatment plan. 30 7.7 Conclusion and decisions 30 7.8 PIA public summary 30 ..32 Annex A (informative) Scale criteria on the level of impact and on the likelihood iii @ IS0/IEC 2023 - All rights reserved