Conducting a Privacy Impact Assessment: the What, the Why and the How
The GDPR imposes a general requirement on data controllers to adopt technical and organisational measures to meet their data protection obligations, and to be able to demonstrate compliance. This includes a requirement to show they have integrated data compliance measures into their processing activities to achieve Privacy by Default and Privacy by Design. Under GDPR it is mandatory to conduct Privacy Impact Assessments (PIA) in respect of certain projects involving personal data; PIAs comprise a key element in achieving Privacy by Design and Default.
What is Privacy by Default and Design?
Privacy by design is an approach to projects that promotes privacy and data protection compliance from the outset. It involves integrating core privacy considerations into existing project management and risk management methodologies and policies. Principles such as psudonymisation and data minimisation are engaged so as not to collect more personal data than necessary, and to ensure that respect for individual privacy is the default position. Historically, these issues may have been bolted on as an after-thought or ignored altogether. However, the GDPR requires organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle, for example when:
- building new IT systems for storing or accessing personal data;
- developing marketing strategies that have privacy implications;
- embarking on a data sharing initiative; or
- using data for new purposes.
What is Privacy?
As an overriding objective of GDPR is to achieve Privacy by Default and Design, this begs the question: what is meant by ‘privacy’? There is no statutory or other formal definition. In its broadest sense, privacy is about the rights of individuals to be left alone. There are two main forms of privacy: physical privacy and information privacy.
The GDPR is concerned primarily with information privacy. According to ICO guidance, risks to information privacy can arise as a result of personal information being: inaccurate, insufficient or out of date; excessive or irrelevant; disclosed to someone to whom the data subject does not want it to be disclosed; used in ways that are unacceptable to or unexpected by the data subject, or not kept securely.
What is a Privacy Impact Assessment?
Some organisations will be familiar with the concept of Privacy Impact Assessment ‘PIA’ (or Data Protection Impact Assessment ‘DPIA’) from their experiences under the Data Protection Act, but many will not.
A PIA is a tool that can help you identify the most effective way to comply with your data protection obligations as well as meet individuals’ expectations of privacy. Done properly, the PIA will enable you, systematically and thoroughly, to analyse how the project may affect privacy and to minimise privacy risks, while still allowing the aims of the project to be met.
In effect the PIA is a step-by-step review of the project. It is designed to examine each stage of the processing activity, and help the organisation to ensure that it has identified and addressed all of the risks involved in that activity before it commences.
An organisation facing questions from the ICO can rely on its PIA to provide strong evidence in demonstrating compliance with GDPR in two key areas:
- Were all material risks identified? An organisation can only comply with the requirements of GDPR if it has identified the material risks that arise in connection with its processing actives.
- What appropriate steps were taken to address those risks? In relation to each risk, the PIA provides a record of the steps that were taken to resolve or mitigate any danger to the rights and freedoms of data subjects.
Is it compulsory to conduct a PIA?
Under GDPR, a PIA must be carried out where processing operations (especially on a large scale) are likely to result in a high risk to the rights and freedoms of individuals. There is no definition of ‘large scale’ but PIAs are likely to become much more common under GDPR.
If a long-term project currently in planning stages is likely to be ongoing when GDPR comes into force, organisations should consider a PIA now.
Who should conduct the PIA?
It is for the data controller to decide who is best placed to coordinate and carry out the PIA process. Some organisations may have a dedicated data protection officer (DPO), although this is not currently a compulsory role. Under GDPR, if you have a DPO, they must be involved in the PIA, although they may not be best placed to oversee conduct the PIA on a day to day basis. Ultimately, an effective PIA will include involvement from various people in the organisation and you should consider assembling a team of people depending on the nature of the project, eg your IT manager, risk partner, Head of HR, compliance officer, etc.
How to conduct a PIA
To speak to someone in our data protection team about conducting a PIA and/or to obtain our standard template PIA Report Form please email GDPR@bdb-law.co.uk
1 July 2017