How to Approach a Privacy Impact Assessment for GDPR

What is a Privacy Impact Assessment?

An essential element of GDPR is to preempt risk to the security of personal data. A Privacy Impact Assessment (PIA) is the process which helps organisations to identify and mitigate the risks of any potential new project.

When should you conduct a Privacy Impact Assessment?

 

Choosing to begin a Privacy Impact Assessment (PIA) is normally triggered by the planning of a new project. This is because it can give you the opportunity to analyse how the new project is likely to affect your customer’s, client’s or staff’s privacy. According to the Information Commissioner‘s Office:

‘Conducting a PIA does not have to be complex or time consuming but there must be a level of rigour in proportion to the privacy risks arising.’

 Consider conducting a PIA if you are planning any of the following projects in your organisation

New CCTV or other surveillance

If you’re planning on installing a new or upgrading an existing surveillance system that monitors the public.

Personal data sharing initiative

Sharing personal data between two or more organisations to make one database.

Installing a new IT or database system

Installation of a new IT system or database that stores and consolidates data held in separate parts of an organisation.

Reusing data for something new

Planning to use your existing bank of personal data for a different purpose.

Proposing to identify a particular demographic

Purposefully gathering data on a group of people with the intent to initiate a particular course of action.

h

New data policies or strategies

Relating to the way you use and collect personal information.

What is involved in the Privacy Impact Assessment process?

 

So you have established that you need to conduct a PIA, but where do you start? Before you do anything, it’s important to ensure that the PIA is a flexible process that is easily integrated into your organisation’s way of working and planning. You should also begin the PIA in plenty of time. The ICO recommends that you consider the following areas:

 

  • Identify the need for a PIA
  • Describe the information flows
  • Identify the privacy and related risks
  • Identify and evaluate the privacy solutions
  • Sign off and record the PIA outcomes
  • Integrate the outcomes into the project plan
  • Consult with internal and external stakeholders as needed throughout the process

The Need for Internal and External Consultations

 

Consulting relevant parties throughout the PIA process helps you to stay on the right track. Internal consultations can ensure that stakeholders and staff are as committed to data protection as you are.

When compiling a list of your internal stakeholders, consider those who are likely to be involved in the projects, like engineers and developers, buyers and marketers. You should also include your Data Protection Officer (DPO) if you have one, and the project management team.

When consulting external parties, consider those who are going to be affected by the project.

How to Conduct a Privacy Impact Assessment

Some of the key considerations are listed below:

  • Where will you capture and retain evidence that the PIA has been conducted?
  • How will you link it the personal data it will assess?
  • How will you ensure you follow a standard and repeatable workflow process?
  • How will you follow a sign-off or approval process?
  • How will you collaborate and capture evidence of contributions from internal and external stakeholders?
  • How will you demonstrate you have identified and evaluated risks?

All of this and more is pre-configured in the ISMS.online software for GDPR. You will follow standard and repeatable workflows with team collaboration and approvals. You will have purpose built workspaces to capture all the evidence and link to the wider GDPR compliance project, including the personal data records processing, assets, supplier/processors and risks.

Risk management is taken care of from identification and assessment through to evaluation and treatment.

 

The ISMS.online Privacy Impact Assessment project area

Want to see the ISMS.online software in action?

ISMS Online Rating: 5 out of 5
Share This