How to Approach a Privacy Impact Assessment for GDPR

What is a Privacy Impact Assessment?

An essential element of GDPR is to preempt risk to the security of personal data. A Privacy Impact Assessment (PIA) is the process which helps organisations to identify and mitigate the risks of any potential new project.

When should you conduct a Privacy Impact Assessment?

Choosing to begin a Privacy Impact Assessment (PIA) is normally triggered by the planning of a new project. This is because it can give you the opportunity to analyse how the new project is likely to affect your customer’s, client’s or staff’s privacy. According to the Information Commissioner‘s Office:

‘Conducting a PIA does not have to be complex or time consuming but there must be a level of rigour in proportion to the privacy risks arising.’

See how simple it is with

Consider conducting a PIA if you are planning any of the following projects in your organisation

What is involved in the Privacy Impact Assessment process?

So you have established that you need to conduct a PIA, but where do you start? Before you do anything, it’s important to ensure that the PIA is a flexible process that is easily integrated into your organisation’s way of working and planning. You should also begin the PIA in plenty of time. The ICO recommends that you consider the following areas:

  • Identify the need for a PIA
  • Describe the information flows
  • Identify the privacy and related risks
  • Identify and evaluate the privacy solutions
  • Sign off and record the PIA outcomes
  • Integrate the outcomes into the project plan
  • Consult with internal and external stakeholders as needed throughout the process

The Need for Internal and External Consultations

Consulting relevant parties throughout the PIA process helps you to stay on the right track. Internal consultations can ensure that stakeholders and staff are as committed to data protection as you are.

When compiling a list of your internal stakeholders, consider those who are likely to be involved in the projects, like engineers and developers, buyers and marketers. You should also include your Data Protection Officer (DPO) if you have one, and the project management team.

When consulting external parties, consider those who are going to be affected by the project.

Find out just how affordable your ISMS could be

How to Conduct a Privacy Impact Assessment

Some of the key considerations are listed below:

  • Where will you capture and retain evidence that the PIA has been conducted?
  • How will you link it the personal data it will assess?
  • How will you ensure you follow a standard and repeatable workflow process?
  • How will you follow a sign-off or approval process?
  • How will you collaborate and capture evidence of contributions from internal and external stakeholders?
  • How will you demonstrate you have identified and evaluated risks?

All of this and more is pre-configured in the software for GDPR. You will follow standard and repeatable workflows with team collaboration and approvals. You will have purpose built workspaces to capture all the evidence and link to the wider GDPR compliance project, including the personal data records processing, assets, supplier/processors and risks.

Risk management is taken care of from identification and assessment through to evaluation and treatment.

privacy impact management