Approaching a Privacy Impact Assessment for GDPR
An essential element of GDPR is to preempt risk to the security of personal data, describe how you will identify those risks and demonstrate what you will do if the worst happens.
When should you conduct a Privacy Impact Assessment?
Choosing to begin a Privacy Impact Assessment (PIA) is normally triggered by the planning of a new project. This is because it can give you the opportunity to analyse how the new project is likely to affect your customer’s, client’s or staff’s privacy. According to the Information Commissioner‘s Office:
‘Conducting a PIA does not have to be complex or time consuming but there must be a level of rigour in proportion to the privacy risks arising.’
Consider conducting a PIA if you are planning any of the following projects in your organisation
New CCTV or other surveillance
If you’re planning on installing a new or upgrading an existing surveillance system that monitors the public.
Installing a new IT or database system
Installation of a new IT system or database that stores and consolidates data held in separate parts of an organisation.
Reusing data for something new
Planning to use your existing bank of personal data for a different purpose.
Proposing to identify a particular demographic
Purposefully gathering data on a group of people with the intent to initiate a particular course of action.
What is involved in the Privacy Impact Assessment process?
So you have established that you need to conduct a PIA, but where do you start? Before you do anything, it’s important to ensure that the PIA is a flexible process that is easily integrated into your organisation’s way of working and planning. You should also begin the PIA in plenty of time. The ICO recommends that you consider the following areas:
- Identify the need for a PIA
- Describe the information flows
- Identify the privacy and related risks
- Identify and evaluate the privacy solutions
- Sign off and record the PIA outcomes
- Integrate the outcomes into the project plan
- Consult with internal and external stakeholders as needed throughout the process
Internal and external consultations
Consulting relevant parties throughout the PIA process helps you to stay on the right track. Internal consultations can ensure that stakeholders and staff are as committed to data protection as you are.
When compiling a list of your internal stakeholders, consider those who are likely to be involved int he projects, like engineers and developers, buyers and marketers. You should also include your Data Protection Officer (DPO) if you have one, and the project management team.
When consulting external parties, consider those who are going to be affected by the project.
The ISMS.online Privacy Impact Assessment project area
Want to see the ISMS.online software in action?
We have pre-built Privacy Impact Assessment projects inside our secure cloud software
Want to learn more about GDPR?
We have written an overview on handling Subject Access Requests for GDPR