The Global Language of Business
  1. Home
  2. Standards
  3. RFID
  4. PIA

GS1 EPC/RFID Privacy Impact Assessment Tool

Please note that we are currently reviewing these pages in light of the European Union's new General Data Protection Regulation and will update their content soon.

Protecting consumer’s personal data in RFID implementations

The GS1 EPC/RFID Privacy Impact Assessment Tool is for large corporations and small and medium enterprises (SMEs) who are implementing an EPC/RFID application. It allows you to:

  • Rapidly perform a comprehensive assessment of privacy risks of any new EPC/RFID implementation within your company.
  • Identify privacy controls to be built in at the early stages of the specification or development process.
  • Comply with the European Commission’s RFID Recommendation and best practices on privacy and data protection, including the EPC Privacy Guidelines.

This will ensure that companies protect their customers' privacy and increase customer confidence in the RFID technology.

What is an RFID Privacy Impact Assessment (PIA)?

An RFID Privacy Impact Assessment helps companies to assess the privacy risks - and identify the measures to be taken to address them - before a new RFID application is introduced onto the market.

When implementing an RFID application within your company, you may be collecting personal information about your customers. It is important to ensure that you protect the privacy of your customers with regards to that data.

Collecting, processing and storing customer’s personal data should be done in accordance with relevant national and local laws and best practices. For European companies, this includes the EU legal framework.

Complying with the European Commission’s Recommendation for a PIA Framework

The European Commission issued a Recommendation in 2009 stating that “all RFID operators” should conduct a PIA on their applications before deploying new applications. The Recommendation suggests very precise steps that should be taken with the ultimate goal to raise consumer acceptance of RFID technology.

These Privacy Impact Assessments should be based on the PIA Framework endorsed by the data protection authorities in the EU Member States and industry in 2011.

To assist its Member Companies in the efficient implementation of the Recommendation, GS1 has developed the GS1 EPC/RFID PIA Tool. The tool is based on the European Commission’s PIA Framework and provides an easy way for companies companies to perform the risk assessment related to the implementation of EPC/RFID technology within their organisations and publish a PIA report.

How do I get started?

  • Download the Tool
  • Plan your Assessment: To be completed at least 6 weeks before deployment of your RFID application, according to the European Commission RFID Recommendation.
  • Perform your Assessment: With the help of your privacy officer or legal department. Once finalized, it should be made available to the competent data protection authority in your country.

Download GS1 EPC/RFID PIA Tool (updated July 2015)

For complete compatibility of these documents on Apple Macintosh systems the newest versions of Microsoft software will be required.

We would welcome your feedback and suggestions on the GS RFID PIA Tool. Please send them to GS1 Global Office at:

Praise for the PIA tool

“The GS1 PIA tool is a macro-enabled Excel spreadsheet that is highly flexible. What is most significant is that this tool could serve as the basis for a globally consistent method for performing assessments -- something that is essential in today's interconnected, global economy.” Bert Moore, Association for Identification and Mobility

More information


GS1 provides this EPC/RFID Privacy Impact Assessment (PIA) tool ‘as is’, in order to assist companies to carry out an assessment of their privacy risks and identify corrective measures before implementing a new RFID application. The PIA is a self-evaluation procedure requiring thorough information input by each company using the PIA tool. GS1 hereby disclaims all responsibility for the content and accuracy of the information provided by companies using the PIA tool.