Understanding practitioner perspectives on using privacy harm categories for privacy risk assessment

Abstract

Privacy Impact Assessments (PIAs), also known as Data Protection Impact Assessments (DPIAs) under the EU GDPR, and Privacy Risk Assessments (PRAs) have emerged as prominent privacy engineering methodologies, aiding developers and data controllers to systematically identify privacy risk and assign appropriate controls. As part of such methodologies, the concept of privacy harms has been proposed as a valuable, well-structured taxonomy that contributes to the rationalization and justification of assessment decisions made by practitioners. While some PRA methodologies include privacy harms, the impact of these inclusions based on practitioners’ perspectives remains largely unexplored. Hence, this study investigates whether evaluating predefined privacy harm categories, i.e., physical, psychological, financial/economic, reputational, and societal harms, can improve PRA outcomes by exploring PIA/DPIA and PRA practitioners’ perspectives. Using semi-structured interviews, including a workable PRA exercise, opinions and perspectives on privacy harms were elicited and analyzed following a reflexive thematic analysis. In total, 17 privacy practitioners were interviewed, revealing a range of positive (e.g., informative, educational) and negative (e.g., misleading, too broad) opinions on evaluating privacy harm categories. Further results indicate a lack of a standardized definition of privacy harm. In addition, participants noted that privacy harms are highly context-dependent and vary based on the data subject; hence, resulting in difficulty quantifying. Nevertheless, privacy harms are a critical addition to PIA/DPIA and PRA methodologies, supporting more rationalized and justifiable decisions when assessing risk, severity, and implementing mitigating controls. Yet, some prioritization of harm categories is advisable to efficiently allocate time and resources for assessment.