Privacy Impact Assessments (PIAs) - Data Protection Impact Assessment (DPIAs)
PIA:
A privacy impact assessment (PIA) is a process designed to identify and address the privacy issues of a particular project. It considers the future consequences of a current or proposed action by identifying any potential privacy risks and then examining ways to mitigate or avoid those risks.
PIAs are usually conducted when a new business process is implemented, a new company is acquired, or a new product launches. PIAs can also be applied to existing processes, products, and systems when they are altered. A PIA is a standard process that privacy teams use to achieve privacy by design (PbD)[1].
Example of a PIA process is presented in the figure below:
Image taken from the Health Information and Quality Authority’s “Privacy Impact Assessment Toolkit for Health and Social Care”
DPIA:
A DPIA is a General Data Processing Regulation (GDPR) construct. DPIA is designed to help an organization assess the risks associated with data processing activities that could compromise the rights and freedoms of individuals.
Data Protection Impact Assessments (DPIA) are addressed in the GDRP in Article 35, which states: “Where a type of processing in particular using new technologies, and considering the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”[2]
Under the GDPR, DPIAs may be required[3]:
- Where a business process involving personal data has not undergone a DPIA in the past (Rec. 90).
- When the personal data being processed could pose a high risk to the data subjects if an incident were to occur (Rec. 84).
- When processing old data sets or personal data (Rec.90).
- When personal data, including IP addresses, are being used to make decisions regarding a data subject (Profiling) (Rec. 91).
- When public areas are being monitored on a large scale. (Rec. 91).
- When sensitive categories of data, criminal data, or national security data are being processed on a large scale (Rec. 91).
- If a business process incorporates a new technology (Art. 35).
- If a business process involves automated decision making, “the ability to make decisions by technological means without human involvement” (Art. 35).
- When the processing of personal data involves the systematized processing of personal data. (Art. 35)
- When there is a change of the risk represented by processing operations (Art. 35).
If such is the case the data controller must conduct a DPIA to assess the impact of the data processing on personal data protection BEFORE starting the actual processing operation.
Example of a DPIA process is presented in the figure below:
Image taken from the IT Governance Green Paper “How do you conduct a DPIA”
Components of a DPIA is presented in the figure below:
Image taken from the i-SCOOP article - DPIA: Data Protection Impact Assessments under the GDPR – a guide.
See Link: https://www.i-scoop.eu/gdpr/dpia-data-protection-impact-assessments/
For further guidelines on DPIA, see Article 29 Data Protection Working Party [Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679]. Download guidelines from link:
http://ec.europa.eu/newsroom/document.cfm?doc_id=47711
Your comments are welcomed.
[1] https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf
[2] https://gdpr-info.eu/art-35-gdpr/
[3] International Association of Privacy Professionals (iapp) infographic “What Triggers a Data Protection Impact Assessment?” - https://iapp.org/media/pdf/resource_center/WhatTriggersDPIA_Final.pdf
0 Comments