# Privacy impact assessment ## What is a PIA? The **data protection impact assessment** is a compliance mechanism provided for in [Article 35 of the GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e3546-1-1). It aims to ensure compliance with the GDPR and to provide proof of it! The analysis consists in **identifying and minimizing the risks** of infringement of the rights and freedoms of the persons concerned in a processing of personal data. It's mainly a **study of the risks for the individuals and not for the organization**! The PIA is a document broken down into three parts: * A **detailed description** of the processing implemented, including both technical and operational aspects; * The **assessment**, of a more legal nature, of the **necessity and proportionality** concerning the non-negotiable fundamental principles and rights (purpose, data and storage periods, information and rights of individuals, etc.), which are set by law and must be respected, whatever the risks; * The **study**, of a more technical nature, of **the risks to data security** (confidentiality, integrity and availability) as well as their potential impact on privacy, which makes it possible to determine the technical and organizational measures necessary to protect the data. ## Perimeter of the PIA The PIA may involve: * A **single processing** * **Similar processing operations** * Identical processing operations carried out by several data controllers * Processing shared by several controllers * Similar processing operations in terms of purposes, functionalities, risks, technologies, etc. * A **technological product** (hardware or software) An impact assessment must be carried out if the processing operation entails a **high risk** for the rights and freedoms of the data subjects. By rights and freedoms is meant not only the right to privacy but also other fundamental rights, such as freedom of movement, non-discrimination, the right to life, etc. {% hint style="info" %} [EDPB Guidelines](https://edpb.europa.eu/) states that high-risk processings can be identified if they meet at least 2 of these criteria below: * Evaluation/scoring * Automatic decision with legal or similar effect * Systematic monitoring * Sensitive data * Large scale * Cross-referencing of data * Vulnerable persons * Innovative use * Blocking a right/contract {% endhint %} ## When should I do a PIA? * Before the implementation of the processing * Privacy by design principle * Tool to help you decide on the implementation of the processing * Allows to anticipate compliance costs * Must be done for existing processing PIA is an ongoing process: * PIAs should be reviewed regularly * A good practice is to update it every 3 to 5 years * In any case, as soon as a change occurs in the processing

An iterative process

## How to make a PIA? **By first assessing the measures of necessity and proportionality. This is a thorough examination of the processing from every angle!** You have to ask yourself questions and explain your choices on the following aspects of the processing: * Purposes: determined, explicit and legitimate * Basis: lawfulness of processing, prohibition of purpose creep * Data minimization: adequate, relevant and limited * Data quality: accurate and kept up to date * Retention periods: limited **Then by detailing the measures to protect the rights of the persons:** * information of the persons concerned * collection of consent, if necessary * exercise of the rights of access and portability * exercise of the rights of rectification and erasure * exercise of the rights to limit processing and to object * relations with processors * safeguards surrounding the international transfer(s) It's necessary to use sectoral reference systems, codes of conduct, labels and brands. **And finally, analyze the risks for the individuals concerned: potential privacy breaches** For each **feared event** (illegitimate access to data, unwanted modification of data and disappearance of data): * determine the potential **impact** on the privacy of data subjects if it were to occur; * estimate the **severity** of the event, including the harmfulness of the potential impacts and, if applicable, the measures that could modify them; * identify the **threats** to data carriers that could lead to this feared event and the sources of risk that could cause it; * estimate its **likelihood**, particularly in terms of the vulnerabilities of the data carriers, the capabilities of the risk sources to exploit them, and the measures that could modify them. Determine whether the **initial risks** can be considered acceptable given the existing or planned measures. If not, propose **additional measures** and re-evaluate the level of risk in light of these measures to determine the **residual risk**. ## Who is involved? * **The data controller** (DC) * The Data Controller's teams, including the teams of the business line concerned (MOA, MOE), the compliance officers, the legal teams * The DC can delegate to external advisors but this remains under his responsibility * **The DPO** * Advice and verification of execution, evaluation of measures and residual risks, suggests the PIA * **Data subjects (or their representatives), if applicable** * Their opinion can be taken and documented * **The processors** * Assistance and provision of information * **The CISO or the IT department** * Proposal to conduct a DPIA, assistance ## For more informations {% content-ref url="../../features/editer-le-registre/remplir-le-questionnaire/analyse-dimpact" %} [analyse-dimpact](https://doc.dastra.eu/en/features/editer-le-registre/remplir-le-questionnaire/analyse-dimpact) {% endcontent-ref %} {% content-ref url="../../features/audit" %} [audit](https://doc.dastra.eu/en/features/audit) {% endcontent-ref %} {% content-ref url="../../features/risk-management/attach-a-risk-to-a-processing-activity" %} [attach-a-risk-to-a-processing-activity](https://doc.dastra.eu/en/features/risk-management/attach-a-risk-to-a-processing-activity) {% endcontent-ref %}