Privacy Impact Assessment in a nutshellNovember 30, 2017byJulie Tamba
The French Data Protection Authority — called in short the “CNIL” — has just released on 22 November 2017 a free tool to assist companies in the process of conducting a Privacy Impact Assessment. This initiative happens in the context where the deadline for implementing the GDPR is close (May 2018) and companies are still struggling to make compliance a reality. Privacy Impact Assessment is part of the various steps to be taken in that regard yet it is not the easiest one to understand.
PIA stems from article 35 of the GDPR which states that such procedure is mandatory for the controller if the use of personal data induces a “ high risk to the rights and freedoms of natural persons”. This notion is not defined by the GDPR, which however gives examples of when such a risk exists: in case of (i) systematic and extensive evaluation of personal aspects leading to decisions, (ii) use of sensitive data on a large scale, or (iii) systematic monitoring of a publicly accessible area on a large scale. Each national Data Protection Authority may further publish positive and negative lists of uses which require or do not require a PIA.
The subject matter of the PIA may be one or more operations as it can be a product such as a piece of hardware or software.
What is the purpose of a PIA and what should it contain? As underlined by the Article 29 Working Party in its guidelines, a PIA “is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks”. It allows companies to check — and prove in case of control — that they have taken appropriate compliance measures. In order to do that, the PIA must necessarily contain the description of the operations on personal data, an assessment of the necessity and proportionality of the same, an assessment of the risks for natural persons, and the measures envisaged to address the risks and demonstrate compliance. Various methods exist including the methodology published by the CNIL, but also German and Spanish frameworks (among others).
Should the PIA show that the operations still result in a high risk in the absence of mitigation measures yet such measures prove unreasonable “in terms of available technologies and costs of implementation“, the data protection authority should be consulted.
The guidelines of the Article 29 Working Party also underline certain points which are in practice far from being anecdotal:
- PIAs are needed for operations created after May 2018 or that change significantly in their risks or context after this date;
- They must be re-assessed after 3 years maximum;
- It is the responsibility of each company to be able to demonstrate that a considered operation did not require a PIA;
- It is recommended to publish all or part of the PIA “to help foster trust in the controller’s processing operations, and demonstrate accountability and transparency”.