Understanding practitioner perspectives on using privacy harm categories for privacy risk assessment

• Published in: Journal of information security and applications Vol. 93; p. 104174
• Main Authors: Wairimu, Samuel, Iwaya, Leonardo Horn, Fritsch, Lothar, Lindskog, Stefan
• Format: Journal Article
• Language: English
• Published: Elsevier Ltd 01.09.2025
• Subjects: Computer Science; Data protection; Datavetenskap; DPIA; Empirical study; Privacy; Privacy harms; Privacy impact assessment; Privacy risk assessment; Privacy; DPIA; Data protection; Empirical study; Privacy impact assessment; Privacy harms; Privacy risk assessment
• ISSN: 2214-2126; 2214-2134
• DOI: 10.1016/j.jisa.2025.104174

Privacy Impact Assessments (PIAs), also known as Data Protection Impact Assessments (DPIAs) under the EU GDPR, and Privacy Risk Assessments (PRAs) have emerged as prominent privacy engineering methodologies, aiding developers and data controllers to systematically identify privacy risk and assign appropriate controls. As part of such methodologies, the concept of privacy harms has been proposed as a valuable, well-structured taxonomy that contributes to the rationalization and justification of assessment decisions made by practitioners. While some PRA methodologies include privacy harms, the impact of these inclusions based on practitioners’ perspectives remains largely unexplored. Hence, this study investigates whether evaluating predefined privacy harm categories, i.e., physical, psychological, financial/economic, reputational, and societal harms, can improve PRA outcomes by exploring PIA/DPIA and PRA practitioners’ perspectives. Using semi-structured interviews, including a workable PRA exercise, opinions and perspectives on privacy harms were elicited and analyzed following a reflexive thematic analysis. In total, 17 privacy practitioners were interviewed, revealing a range of positive (e.g., informative, educational) and negative (e.g., misleading, too broad) opinions on evaluating privacy harm categories. Further results indicate a lack of a standardized definition of privacy harm. In addition, participants noted that privacy harms are highly context-dependent and vary based on the data subject; hence, resulting in difficulty quantifying. Nevertheless, privacy harms are a critical addition to PIA/DPIA and PRA methodologies, supporting more rationalized and justifiable decisions when assessing risk, severity, and implementing mitigating controls. Yet, some prioritization of harm categories is advisable to efficiently allocate time and resources for assessment. [Display omitted] •PIAs are important for assessing and selecting appropriate measures.•Some PIAs and privacy risk assessment methods comprise privacy harm categories.•These categories are considered valuable and beneficial during assessments.