Personal Information Impact Assessments

The Information Regulator, by way of its regulations, has made personal information impact assessments compulsory for all processing of personal information. The regulations require information officers to ensure that personal information impact assessments are completed and adequate measures and standards exist in order for responsible parties to comply with the conditions for the lawful processing of personal information.

A personal information impact assessment “tells the story” of the processing from a privacy perspective:

  • It describes the data flow of personal information in the process, from all sources through to all final destinations

Data flow diagram

  • Its used to analyse the possible impacts processing of personal information may have on a data subject’s right to privacy
  • Options for managing, minimising or eradicating negative impacts on data subjects are identified
  • It assists finding potential solutions (technical and organisational measures) to managing possible negative privacy impacts
  • The personal information impact assessment aims to manage privacy-related risks whilst achieving or enhancing the process’ goals 
  • It encourages good data protection policies and practices.

Personal information impact assessments require:

  • a systematic description of the actual/envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the responsible parties
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • an assessment of the risks to the rights of data subjects, and
  • the measures envisaged to address the risks, including:
    • safeguards,
    • security measures and
    • mechanisms to ensure the protection of personal data.
  • and are used to:
    • demonstrate compliance with the data protection requirements of the Protection of Personal Information Act, taking into account the rights and legitimate interests of data subjects and other persons concerned
    • communicate to data subjects the risks they face from the processing of their personal information
    • inform data subjects so that they are in a position to be able to object and/or withdraw their consent. 

Legitimate Interests and the obligation to inform individuals

  • Responsible parties need to be aware that if they use “Legitimate Interests” rather than other lawful bases:
    • individuals must be told about those legitimate interests, and
    • there is also an obligation to tell individuals about their right to object.


  • Examples of processing that could be necessary for the legitimate interest of a data controller, include:
    • Processing for direct marketing purposes or preventing fraud
    • Transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data
    • Processing for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems
    • Reporting possible criminal acts or threats to public security to a competent authority.

For assistance with personal information impact assessments, contact: This email address is being protected from spambots. You need JavaScript enabled to view it.