DASTRA
English
English
  • What is Dastra
  • 🇪🇺USEFUL REMINDERS
    • What is GDPR ?
    • GDPR key concepts
      • Personal data
      • Record of processing activities (ROPA)
      • Privacy impact assessment
      • Data retention period
      • Data Subject Rights (DSR)
      • Privacy by design and by default
      • Security measures
      • Data breach notifications
    • Risk management
      • Definition of risks
      • Risk assessment
      • Vendor risk management
  • 🧑‍🎓GETTING STARTED
    • Setting up
      • Create and set up a workspace
      • Create and set up organizational units
      • Appointing a DPO
      • Add a lead authority
      • Invite users
      • Managing roles and permissions
      • Create and assign teams
      • Frequently asked questions
    • Tutorial
      • Step 1: Setting up
      • Step 2: Map your personal data processing and draw up a register
      • Step 3: Managing risks
      • Step 4: Prioritize actions
      • Step 5: Implement internal processes
      • Step 6: Document compliance
    • Support
      • The dastronaut's assistant
      • Online help
      • Request support
      • The customer support process
  • ⚙️Features
    • Dashboard
    • General
      • Advanced Filters
      • Import your data (Excel, Csv)
      • Tag management
      • Custom fields
      • AI Assistant
      • Email templates
    • Data Mapping
    • Record of processing activities
      • "Data controller" record
      • "Data processor" record
      • Establish your record
      • Export / import the record
      • Use a processing activity template
      • Declare a processing activity
      • Complete a data processing activity
        • General information
        • Stakeholders
        • Purposes
        • Dataset
        • Assets
        • Data subjects
        • Data subjects rights (DSR)
        • Recipients
          • Data transfers outside the EU
        • Security measures
        • Impact analysis
        • Documentation
      • Create relationships between processing activities
      • Processing freshness
      • Share the record of processing
      • Data visualization
        • View the treatment tree
        • View the record data map
        • View the transfers map
      • Frequently asked questions
    • Audits and DPIA
      • Create or modify an audit template or DPIA
      • Scheduling an audit or a PIA
      • Share an audit report or PIA
      • FAQ
    • Privacy hubs
      • Create a Privacy hub
      • Configure your Privacy hub
        • Homepage and general configuration
        • Questionnaires
        • Data subject requests
        • Record of processing activities
        • Attachments
        • Organizational chart
        • Contacts
        • Security
        • Appearance and design
      • Preview and share your privacy hub
      • Collecting data processing projects from a Privacy hub.
    • Contracts
      • Declare a Contract
      • Structure of a contract
      • Documents
      • Assets
      • Signers
      • Linked users
      • Sign the contract
      • Docusign integration
      • Contract versions
      • Contract templates
    • Risk management
      • Glossary of terms
      • Risk management process
        • 1. Identification
        • 2. Assess
        • 3. Monitor
        • 4. Control
        • Let's recap
      • Dastra / eBios RM comparison
      • Attach a risk to a processing activity
      • FAQ
    • Planning
      • Create your action plan
      • Create or modify a project or an iteration
      • Monitor, screen or export your tasks
      • Customise the task workflow
      • Share as calendar
      • Customise the task workflow
      • Go further with planning
      • FAQ
    • Data subject right request
      • Manage data subject right requests
      • Set up a data subject right request widget
      • Technical integration
      • API integration
    • Manage data breach notifications
      • Report a data breach
      • Export your data breach notifications
    • Manage cookies consent
      • Widget configuration
        • Preliminary study
        • Cookies scanning
        • Classify cookies by consent categories
        • The purposes of cookies
        • Implement a cookie consent widget
        • Collect proof of cookie consent
        • Go further on cookie consent
        • In case of unavailability
      • Technical integration
        • Functioning of the widget
        • Quick start
          • Wordpress
        • Language management
        • Test the integration of a widget
        • Blocking cookies
          • Blocking iframes (twitter/youtube...)
          • Google Tag Manager
        • Advanced Design
        • Manage consent programmatically
        • User identification
        • Mobile applications
          • Hybrid applications
          • Native applications
        • TCF 1.1/2.0
      • RGAA compliance
      • Breakdown service
    • Regular review (freshness)
    • Custom Reporting
      • Integration with data analysis tools (BI)
    • AI Systems
      • Establishing a record of AI systems
      • Risk analysis and business value
      • Transparency notice
      • AI Models repository
    • Advanced configuration
      • SCIM
      • Roles and permissions
      • Single Sign On (SSO)
        • SAML 2
        • OpenId
        • ADFS
        • Active Directory
        • Okta
        • Known problems
      • References
      • API key management
      • Notifications
      • Workflow steps / process flow
      • Incoming mail data collection
      • OneDrive/Google Drive integrations
      • Webhooks
      • SMTP configuration
      • Workflow rules
      • Message templates
      • Email domains
  • PARTNERS
    • Portal
  • 📄API documentation
    • Configuration
    • Authentication
    • API References
    • Integrations
      • Frequently asked questions
  • 🛡️Security
    • Security at Dastra
    • Security roadmap
    • Quality of Service
  • Certifications
  • 🤖Other
    • FAQ
    • Known problems
    • Changelog
  • Referentials
    • CNIL referentials
      • HR referential from CNIL
Propulsé par GitBook
Sur cette page
  • What is a PIA?
  • Perimeter of the PIA
  • When should I do a PIA?
  • How to make a PIA?
  • Who is involved?
  • For more informations

Cet article vous a-t-il été utile ?

  1. USEFUL REMINDERS
  2. GDPR key concepts

Privacy impact assessment

Learn what is a privacy impact assessment

Dernière mise à jour il y a 1 an

Cet article vous a-t-il été utile ?

What is a PIA?

The data protection impact assessment is a compliance mechanism provided for in .

It aims to ensure compliance with the GDPR and to provide proof of it!

The analysis consists in identifying and minimizing the risks of infringement of the rights and freedoms of the persons concerned in a processing of personal data.

It's mainly a study of the risks for the individuals and not for the organization!

The PIA is a document broken down into three parts:

  • A detailed description of the processing implemented, including both technical and operational aspects;

  • The assessment, of a more legal nature, of the necessity and proportionality concerning the non-negotiable fundamental principles and rights (purpose, data and storage periods, information and rights of individuals, etc.), which are set by law and must be respected, whatever the risks;

  • The study, of a more technical nature, of the risks to data security (confidentiality, integrity and availability) as well as their potential impact on privacy, which makes it possible to determine the technical and organizational measures necessary to protect the data.

Perimeter of the PIA

The PIA may involve:

  • A single processing

  • Similar processing operations

  • Identical processing operations carried out by several data controllers

  • Processing shared by several controllers

  • Similar processing operations in terms of purposes, functionalities, risks, technologies, etc.

  • A technological product (hardware or software)

An impact assessment must be carried out if the processing operation entails a high risk for the rights and freedoms of the data subjects.

By rights and freedoms is meant not only the right to privacy but also other fundamental rights, such as freedom of movement, non-discrimination, the right to life, etc.

  • Evaluation/scoring

  • Automatic decision with legal or similar effect

  • Systematic monitoring

  • Sensitive data

  • Large scale

  • Cross-referencing of data

  • Vulnerable persons

  • Innovative use

  • Blocking a right/contract

When should I do a PIA?

  • Before the implementation of the processing

  • Privacy by design principle

  • Tool to help you decide on the implementation of the processing

  • Allows to anticipate compliance costs

  • Must be done for existing processing

PIA is an ongoing process:

  • PIAs should be reviewed regularly

  • A good practice is to update it every 3 to 5 years

  • In any case, as soon as a change occurs in the processing

How to make a PIA?

By first assessing the measures of necessity and proportionality. This is a thorough examination of the processing from every angle!

You have to ask yourself questions and explain your choices on the following aspects of the processing:

  • Purposes: determined, explicit and legitimate

  • Basis: lawfulness of processing, prohibition of purpose creep

  • Data minimization: adequate, relevant and limited

  • Data quality: accurate and kept up to date

  • Retention periods: limited

Then by detailing the measures to protect the rights of the persons:

  • information of the persons concerned

  • collection of consent, if necessary

  • exercise of the rights of access and portability

  • exercise of the rights of rectification and erasure

  • exercise of the rights to limit processing and to object

  • relations with processors

  • safeguards surrounding the international transfer(s)

It's necessary to use sectoral reference systems, codes of conduct, labels and brands.

And finally, analyze the risks for the individuals concerned: potential privacy breaches

For each feared event (illegitimate access to data, unwanted modification of data and disappearance of data):

  • determine the potential impact on the privacy of data subjects if it were to occur;

  • estimate the severity of the event, including the harmfulness of the potential impacts and, if applicable, the measures that could modify them;

  • identify the threats to data carriers that could lead to this feared event and the sources of risk that could cause it;

  • estimate its likelihood, particularly in terms of the vulnerabilities of the data carriers, the capabilities of the risk sources to exploit them, and the measures that could modify them.

Determine whether the initial risks can be considered acceptable given the existing or planned measures.

If not, propose additional measures and re-evaluate the level of risk in light of these measures to determine the residual risk.

Who is involved?

  • The data controller (DC)

    • The Data Controller's teams, including the teams of the business line concerned (MOA, MOE), the compliance officers, the legal teams

    • The DC can delegate to external advisors but this remains under his responsibility

  • The DPO

    • Advice and verification of execution, evaluation of measures and residual risks, suggests the PIA

  • Data subjects (or their representatives), if applicable

    • Their opinion can be taken and documented

  • The processors

    • Assistance and provision of information

  • The CISO or the IT department

    • Proposal to conduct a DPIA, assistance

For more informations

states that high-risk processings can be identified if they meet at least 2 of these criteria below:

🇪🇺
Article 35 of the GDPR
EDPB Guidelines
Impact analysis
Audits and DPIA
Attach a risk to a processing activity
An iterative process