How to Approach a Privacy Impact Assessment for GDPR
What is a Privacy Impact Assessment?
An essential element of GDPR is to preempt risk to the security of personal data. A Privacy Impact Assessment (PIA) is the process which helps
When should you conduct a Privacy Impact Assessment?
Choosing to begin a Privacy Impact Assessment (PIA) is normally triggered by the planning of a new project. This is because it can give you the opportunity to
‘Conducting a PIA does not have to be complex or time consuming but there must be a level of rigour in proportion to the privacy risks arising.’
Consider conducting a PIA if you are planning any of the following projects in your organisation
New CCTV or other surveillance
If you’re planning on installing a new or upgrading an existing surveillance system that monitors the public.
Personal data sharing initiative
Sharing personal data between two or more organisations to make one database.
Installing a new IT or database system
Installation of a new IT system or database that stores and consolidates data held in separate parts of an organisation.
Reusing data for something new
Planning to use your existing bank of personal data for a different purpose.
Proposing to identify a particular demographic
Purposefully gathering data on a group of people with the intent to initiate a particular course of action.
What is involved in the Privacy Impact Assessment process?
So you have established that you need to conduct a PIA, but where do you start? Before you do anything, it’s important to ensure that the PIA is a flexible process that is easily integrated into your
- Identify the need for a PIA
- Describe the information flows
- Identify the privacy and related risks
- Identify and evaluate the privacy solutions
- Sign off and record the PIA outcomes
- Integrate the outcomes into the project plan
- Consult with internal and external stakeholders as needed throughout the process
The Need for Internal and External Consultations
Consulting relevant parties throughout the PIA process helps you to stay on the right track. Internal consultations can ensure that stakeholders and staff are as committed to data protection as you are.
When compiling a list of your internal stakeholders, consider those who are likely to be involved in the projects, like engineers and developers, buyers and marketers. You should also include your Data Protection Officer (DPO) if you have one, and the project management team.
When consulting external parties, consider those who are going to be affected by the project.
How to Conduct a Privacy Impact Assessment
Some of the key considerations are listed below:
- Where will you capture and retain evidence that the PIA has been conducted?
- How will you link it the personal data it will assess?
- How will you ensure you follow a standard and repeatable workflow process?
- How will you follow a sign-off or approval process?
- How will you collaborate and capture evidence of contributions from internal and external stakeholders?
- How will you demonstrate you have identified and evaluated risks?
All of this and more is pre-configured in the ISMS
Risk management is taken care of from identification and assessment through to evaluation and treatment.
The ISMS.online Privacy Impact Assessment project area