Privacy Impact Assessments: A GDPR Requirement
Privacy Impact Assessment (PIAs) are required by GDPR. They exist to help identify and guide the use of personal information across the organization. PIAs require tight collaboration between the privacy office and business leaders in order to address privacy-related regulatory requirements.
According to the EU General Data Protection Regulation (GDPR), data privacy must be considered in the initial design stage of a project, and organizations are responsible for putting in place the appropriate policies, procedures and systems to enable this ‘privacy by design’ approach. In the event a project results in a high risk to the rights and freedoms of data subjects, the GDPR requires a Data Protection Impact Assessment (DPIA) in order to meet compliance.
MDS helps operationalize privacy by design in order to comply with GDPR requirements. We provide automated privacy impact assessments (PIAs) and data protection impact assessments (DPIAs) are designed to increase organization-wide adoption through role-based templates and self-service tools. All privacy projects across the organization are consolidated into a central dashboard for easy viewing and complete record of data protection activities for simple and thorough reporting.
PIA & DPIA Automation
Many organisations carry out PIAs as a matter of routine. When the GDPR comes into effect in May 2018, PIAs will be mandatory for many organizations. Under the GDPR, non-compliance with GDPR requirements could lead to fines imposed of up to 20million (EUR) or 4% of a group’s worldwide turnover, whichever is greater. However for PIAs this is in a lower category, but still significant, of up to 10million (EUR) or 2% of a group’s worldwide turnover, whichever is greater. It is therefore important that your organization fully understands their obligations under the new legislation.
Below are guidelines published by the Data Protection Working Party consider DPIAs and discuss how organisations should determine whether the proposed activity is likely to result in a “high risk”.
-Evaluation or scoring, including profiling;
-Systematic monitoring of individuals (from a HR perspective this is likely to include an employer’s decision to introduce or extend the scope of CCTV monitoring of employees);
-Processing sensitive data (for example in relation to employees’ religious or political beliefs or trade union activities);
-Processing data on a large scale (for example the implementation of a new IT system for storing and accessing employee data);
-Matching or combining datasets;
-Processing data concerning vulnerable individuals;
-Innovative use or application of technological or organisational solutions;
-Data transfer across borders outside the European Union (for example transferring employee data to a third party service provider that is outside of the European Union);
-When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”.
The guidelines indicate that, as a very general rule of thumb, if the proposed technology, project, activity or process meets at least two of the above criteria, it should be considered high risk and therefore will require a DPIA.
A DPIA must be carried out prior to the implementation of the technology, project, activity or process and ideally as early as practical in the design process. The DPIA will also need to be updated and/or steps repeated as the process develops, particularly if issues are identified which may affect the severity or likelihood of risk to the data protection rights of affected individuals.
Who is responsible for carrying out the DPIA?
A data controller (and the data protection lead in particular) is ultimately responsible and accountable for ensuring that a DPIA is carried out. However it can be prepared by someone else, inside or outside of the organisation. For example, if there is a senior manager in charge of the implementation of a new data processing activity, they may be best placed to oversee conduct of the DPIA on a day-to-day basis given their proximity to the project. When preparing the DPIA, an organisation must also seek the advice of their data protection officer (if one has been appointed), though the data protection officer will act in an advisory role.
What must the DPIA include?
A DPIA will essentially be a step-by-step review of the new technology, project, activity or process. It will need to examine each stage of the data processing activity and identify/address all of the risks involved in that activity.
The GDPR sets out the following minimum required features of a DPIA:
-A description of the envisaged processing operations and the purposes of the processing - for example, explaining what personal data will be used, who will it be obtained from or disclosed to, who will have access to it;
-An assessment of the necessity and proportionality of the data processing;
-An assessment of the risks to the rights of the individuals affected (for example, financial loss, distress or the risk that inadequate disclosure controls could increase the likelihood of personal data being shared inappropriately); and
-The measures envisaged to address the risks and demonstrate compliance with the GDPR. (Some risks may be able to be eliminated altogether or reduced, however most activities will have some impact on privacy and will require an organisation to accept some level of risk.)
Consultation with a broad range of stakeholders will also be an integral part of the DPIA process. Internally, this will mean speaking with the relevant departments involved with the proposed technology, project, process or activity. For example the IT team, the HR department or senior management who will be able to highlight risks and solutions based on their own area of interest or expertise. Consultation with external stakeholders will also provide an organisation the opportunity to get input from those who will ultimately be affected by the data processing activity. (Where the affected individuals are employees, any recognised employee forum or trade unions will need to consulted.)
The GDPR does not specify a particular process that must be followed to carry out a DPIA, although there are a number of different established processes. Helpfully, Annex 1 of the guidelines contains a list of links to examples of existing DPIA frameworks (including the ICO PIA code of practice) and to international standards containing DPIA methodologies. Annex 2 of the guidelines also sets out the criteria for an acceptable DPIA by reference to the relevant GPDR provisions.
What are the next steps?
Once the DPIA is complete the organisation will need to ensure any steps recommended as a result of the assessment are integrated into the project plan (in respect of the proposed technology, project, activity or process) and more crucially, implemented.
If an outcome of the DPIA is that a risk cannot be mitigated, reduced or eliminated organisations will need to consider whether to reject the activity or to accept the risk. Any serious risks identified by the DPIA may need to be reported to the ICO to seek its opinion as to whether the intended processing operation complies with the GDPR.
The DPIA will need to be signed off at an appropriate level, e.g. by the board, a managing partner, risk partner etc. Where the DPO’s guidance is not followed then the organisation will need to document why.
The organization’s data inventory will also need to be updated to reflect the changes in processing operations, so that the data inventory remains an accurate overview of the organization’s processing operations, and it would be useful to include links to the DPIA undertaken so it can be located easily, again supporting the accountability principle.
Organizations may also wish to consider publishing the report (or a summary of the content excluding any confidential information) to evidence and promote the organisation’s compliance with the key GDPR principles of transparency and accountability.
MDSNY data protection team can help and advise on all aspects of DPIAs (including providing DPIA templates) and the GDPR in general, so please speak to your usual contact at Shoosmiths for assistance.
An Earlier Version of this Article Appeared in http://www.shoosmiths.co.uk
And was written by Kate Woodhouse.