Privacy Impact Assessments (PIAs) offer a systematic process for assessing the privacy impacts of a project or system. As a privacy engineering strategy, PIAs are heralded as one of the main approaches to privacy by design, supporting the early identification of threats and controls. However, there is still a shortage of empirical evidence on their uptake and proven effectiveness in practice. To better understand the current state of literature and research, this paper provides a comprehensive Scoping Review (ScR) on the topic of PIAs "in the wild", following the well-established Preferred Reporting Items for Systematic reviews and Meta-Analyses (PRISMA) guidelines. As a result, this ScR includes 45 studies, providing an extensive synthesis of the existing body of knowledge, classifying types of research and publications, appraising the methodological quality of primary research, and summarising the positive and negative aspects of PIAs in practice, as reported by studies. This ScR also identifies significant research gaps (e.g., evidence gaps from contradictory results and methodological gaps from research design deficiencies), future research pathways, and implications for researchers, practitioners, and policymakers developing and evaluating PIA frameworks. As we conclude, there is still a significant need for more primary research on the topic, both qualitative and quantitative. A critical appraisal of qualitative studies (n=28) revealed deficiencies in the methodological quality, and only four quantitative studies were identified, suggesting that current primary research remains incipient. Nonetheless, PIAs can be regarded as a prominent sub-area in the broader field of Empirical Privacy Engineering, warranting further research toward more evidence-based practices.
翻译:暂无翻译