back button

Back

Privacy Impact Assessment in a nutshell

November 30, 2017byJulie Tamba

The French Data Protection Authority — called in short the “CNIL” — has just released on 22 November 2017 a free tool to assist companies in the process of conducting a Privacy Impact Assessment. This initiative happens in the context where the deadline for implementing the GDPR is close (May 2018) and companies are still struggling to make compliance a reality. Privacy Impact Assessment is part of the various steps to be taken in that regard yet it is not the easiest one to understand.

How the tool looks like

PIA stems from article 35 of the GDPR which states that such procedure is mandatory for the controller if the use of personal data induces a “ high risk to the rights and freedoms of natural persons”. This notion is not defined by the GDPR, which however gives examples of when such a risk exists: in case of (i) systematic and extensive evaluation of personal aspects leading to decisions, (ii) use of sensitive data on a large scale, or (iii) systematic monitoring of a publicly accessible area on a large scale. Each national Data Protection Authority may further publish positive and negative lists of uses which require or do not require a PIA.

The subject matter of the PIA may be one or more operations as it can be a product such as a piece of hardware or software.

What is the purpose of a PIA and what should it contain? As underlined by the Article 29 Working Party in its guidelines, a PIA “is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks”. It allows companies to check — and prove in case of control — that they have taken appropriate compliance measures. In order to do that, the PIA must necessarily contain the description of the operations on personal data, an assessment of the necessity and proportionality of the same, an assessment of the risks for natural persons, and the measures envisaged to address the risks and demonstrate compliance. Various methods exist including the methodology published by the CNIL, but also German and Spanish frameworks (among others).

Should the PIA show that the operations still result in a high risk in the absence of mitigation measures yet such measures prove unreasonable “in terms of available technologies and costs of implementation“, the data protection authority should be consulted.

The guidelines of the Article 29 Working Party also underline certain points which are in practice far from being anecdotal:

  • PIAs are needed for operations created after May 2018 or that change significantly in their risks or context after this date;
  • They must be re-assessed after 3 years maximum;
  • It is the responsibility of each company to be able to demonstrate that a considered operation did not require a PIA;
  • It is recommended to publish all or part of the PIA “to help foster trust in the controller’s processing operations, and demonstrate accountability and transparency”.

Related articles

December 13, 2017byJulie Tamba

GDPR consent in practice – Part 2: Methods

After reviewing when it is opportune to obtain consent, it is time to take a closer look at ways to obtain consent. How should consent be obtained? Consent is defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement…

Read more

Consent

European Union

GDPR

Methods

personal data

February 9, 2018byJulie Tamba

(French) Consentement GDPR en pratique – Partie 3: les mineurs

Consentement des mineurs : une bonne chose de faite ? Mercredi 7 février 2018 a été adopté par l’Assemblée Nationale un amendement ajoutant à la loi Informatique et Libertés un article 7-1 relatif au consentement des mineurs au traitement de leurs données personnelles. Consentement lié à l’offre directe de services de la société de l’information aux enfants…

Read more

CNIL

Consent

GDPR

Informatique et Libertés

Minors

personal data

December 12, 2017byJulie Tamba

GDPR consent in practice – Part 1: Opportunity

As a follow up to the article on whether collecting user geolocation require consent, it has to be examined more generally when and how consent should be obtained. The first part of this topic focuses on simple guidance regarding the opportunity to obtain consent. When should consent be obtained? It is important to underline that,…

Read more

Consent

GDPR

Opportunity

personal data

December 5, 2017byJulie Tamba

Does collecting user geolocation require consent?

Collecting geolocation is a tricky topic in data privacy regulations. As of today, consent is not necessarily required by law. The ePrivacy Directive, on the first hand, requires consent for use of location data yet this obligation is only binding upon public electronic communication services and networks (telecom operators). The General Data Protection Regulation, on…

Read more

Consent

ePrivacy

European Union

GDPR

Geolocation

personal data

May 25, 2018byJulie Tamba

A potential future for the Ad Tech industry: consent without tracking walls

Publishers and actors of the Ad Tech sector targeting the EU currently face one of the biggest challenges they have ever encountered, one that may require them to change profoundly their model. Namely? Unambiguous positive consent. Some background Publishers (both online and offline) have traditionally been able to provide their readers with free contents by…

Read more

Ad Tech

Consent

ePrivacy

GDPR

Publishers