Privacy impact assessments in the wild: A scoping review

Privacy Impact Assessments (PIAs) offer a process for assessing the privacy impacts of a project or system. As a privacy engineering strategy, they are one of the main approaches to privacy by design, supporting the early identification of threats and controls. However, there is still a shortage of empirical evidence on their use and proven effectiveness in practice. To better understand the current literature and research, this paper provides a comprehensive Scoping Review (ScR) on the topic of PIAs “in the wild,” following the well-established Preferred Reporting Items for Systematic reviews and Meta-Analyses (PRISMA) guidelines. This ScR includes 45 studies, providing an extensive synthesis of the existing body of knowledge, classifying types of research and publications, appraising the methodological quality of primary research, and summarising the positive and negative aspects of PIAs in practice, as reported by those studies. This ScR also identifies significant research gaps (e.g., evidence gaps from contradictory results and methodological gaps from research design deficiencies), future research pathways, and implications for researchers, practitioners, and policymakers developing and using PIA frameworks. As we conclude, there is still a significant need for more primary research on the topic, both qualitative and quantitative. A critical appraisal of qualitative studies revealed deficiencies in the methodological quality, and only four quantitative studies were identified, suggesting that current primary research remains incipient. Nonetheless, PIAs can be regarded as a prominent sub-area in the broader field of empirical privacy engineering, in which further scientific research to support existing practices is needed.