Re: Aborted Covid App
GDPR covers the legal process for the collection PII regardless of method. It would have been a bloody wide TOS for an App to have covered the entirety of contract tracking, and would immediately have failed the "informed consent" test for non-digital collection channels.
The failure of a PIA was on the whole Test and Trace program not the failure to do a PIA for the App part of it.
As others have said on this thread it takes about an afternoon to do a PIA (much longer to implement the best practises of course), but the PIA is effectively the MAP not the directions. Its just the same as a set of SDLC or Programming Best Practise guidelines. It tells you where your risk areas are and how to mitigate them.
Like for example make sure your staff know that leaking PII could leave the organisation facing multi million £ fines, and having procedures in place to go agressively after staff who breach PII related policies.
Go do your homework.