This guide aims to give you a better understanding of what a Privacy Impact Assessement is, why they are useful and when they should be conducted.
WHAT IS A PIA?
Privacy Impact Assessments are a management tool designed to identify risks to individuals’ privacy when implementing new systems, technologies or processes.
PIAs are at the heart of an organisation’s ‘privacy by design’ approach. They ensure problems are found and fixed during the early stages of any project, thereby minimising the risk of harm to individuals through misuse of their personal information.
Additionally, a PIA can also be used to assess the impact of the continuing use of existing systems, technologies or processes, and can assist the design of effective methods for handling personal data.
Find out more about why and when you should consider conducting a PIA.
WHY CONDUCT A PIA?
Warning System – PIAs can alert compliance teams, and the business as a whole, by identifying risks before they occur
Proof of Compliance – The assessment proves an organisation has gone above and beyond basic compliance obligations. It is worth noting that the existence of a PIA may be taken into consideration by regulators in the event of enforcement and fines
Protect Reputation – The PIA process helps avoid damage to brand reputation, identifying potential risks before they can have an adverse impact
Privacy First – Conducting a PIA demonstrates to all stakeholders that the organisation takes privacy seriously
Informing Decisions – The process assists management to make informed decisions regarding processing that will affect the privacy of individuals
WHEN DO YOU NEED A PIA?
When new business processes, systems or technologies might significantly impact on the privacy of individuals, you should consider the following:
The information you are collecting from individuals – will the project involve the collection of new information about individuals, or compel individuals to provide information?
Disclosure to others – will information about individuals be disclosed to organisations or people who have not previously had routine access to it?
New use of information – will information about individuals be used for purposes it is not currently used for, or in a way it is not currently used?
Intrusive to privacy – does the project use new technology or processes which could be perceived as intruding on an individual’s privacy?
Impact on individuals – will the project result in you making decisions, or taking action against individuals, in ways which could have a significant impact on them?
*Sensitive Data – is the information about individuals of a type which is likely to raise privacy concerns? For example, health records, criminal records or other information that people would consider to be particularly private. (*Note: Under the GDPR ‘sensitive’ data is redefined as ‘special categories of data’)
Contacting Individuals – will the project require you to contact individuals in ways they may find intrusive?
CONSIDERATIONS WHEN CONDUCTING A PIA
Outlined below are some of the key steps you should consider when conducting a PIA:
A PIA is likely to have multiple stakeholders, both internally and externally, for example:
- relevant departments and individuals within the business (e.g. IT, compliance, legal, developers & designers, security, procurement, communications, customer services senior management etc).
- external processors or partner data controllers with whom personal data will be shared
individuals whose data will be processed
- regulators whose guidance must be followed
A key component of any PIA is evaluating any risk to an individuals’ privacy as well as assessing potential risk to an organisation and its reputation. It’s vital to document the process and the methodology used.
Investigating data collection methods
The compliant collection or sourcing of data is key in assessing the privacy impact. Therefore for each data source (direct or external) the following should be reviewed:
Consent: How will customers provide consent? For example, via permission statements, terms and conditions and privacy policies (etc.)
Type of Data: What classes of data will be included?
Data Quality: What quality assurance parameters will be applied to the data?
Storage and Retention: Where will the data be stored and how long will it be kept for?
Subject Access: How will an individual’s right of access and objections be handled?
The future use of individuals’ data
It is important to identify all anticipated uses of data in the project and assess and record what impact such uses might have on the privacy of individuals.
Develop solutions which will eliminate or minimise privacy risks and then consider how these solutions impact on the project. This could result in adapting the project to ensure risks are at an acceptable level or a decision not to proceed.
THE IMPACT OF NEW EU DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR), harmonising data protection across EU member states, was implemented in 2018. The regulation stipulates organisations need to carry out, Data Protection Impact Assessments (DPIAs), if their proposed activities are likely to result in a high risk to the rights and freedoms of individuals, for example:
- Automated processing (including profiling) which may significantly affect the individual or might produce legal consequences (i.e. potential proceedings or reporting obligations)
- Processing ‘special categories of data’ on a large scale
- Systematic monitoring of a publicly accessible area on large scale
The GDPR makes DPIAs mandatory for larger projects but as yet the detail of what constitutes ‘large scale’ has not been specified. Further guidance is anticipated detailing the type of processing operations which will be subject to a DPIA, this may also include a list of processing operations which do not require a DPIA.
It is worth noting it will not be necessary to conduct assessments retrospectively as long as prior to GDPR, compliance with the previous Directive can be demonstrated.
In conclusion, PIAs should not be viewed as an exercise in demonstrating compliance, their purpose is to specifically identify risks to individuals’ privacy and find solutions. A PIA needs to be conducted in the early stages and should continue throughout the life-cycle of a project. There are PIA templates available but be cautious, a PIA by its very nature, will be unique to your organisation. The UK regulator offers some further useful guidance – The ICO’s Privacy Impact Assessments – Code of Practice
The Data Protection Network was founded by the owners of the Data Compliance Consultancy Opt-4. Opt-4 has significant experience in carrying out Privacy Impact Assessments, risks assessments and data protection audits. If you would like further information please email: email@example.com or telephone: 0208 434 3596.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.