Privacy impact assessment
Learn what is a privacy impact assessment
What is a PIA?
The data protection impact assessment is a compliance mechanism provided for in Article 35 of the GDPR.
It aims to ensure compliance with the GDPR and to provide proof of it!
The analysis consists in identifying and minimizing the risks of infringement of the rights and freedoms of the persons concerned in a processing of personal data.
It's mainly a study of the risks for the individuals and not for the organization!
The PIA is a document broken down into three parts:
A detailed description of the processing implemented, including both technical and operational aspects;
The assessment, of a more legal nature, of the necessity and proportionality concerning the non-negotiable fundamental principles and rights (purpose, data and storage periods, information and rights of individuals, etc.), which are set by law and must be respected, whatever the risks;
The study, of a more technical nature, of the risks to data security (confidentiality, integrity and availability) as well as their potential impact on privacy, which makes it possible to determine the technical and organizational measures necessary to protect the data.
Perimeter of the PIA
The PIA may involve:
A single processing
Similar processing operations
Identical processing operations carried out by several data controllers
Processing shared by several controllers
Similar processing operations in terms of purposes, functionalities, risks, technologies, etc.
A technological product (hardware or software)
An impact assessment must be carried out if the processing operation entails a high risk for the rights and freedoms of the data subjects.
By rights and freedoms is meant not only the right to privacy but also other fundamental rights, such as freedom of movement, non-discrimination, the right to life, etc.
EDPB Guidelines states that high-risk processings can be identified if they meet at least 2 of these criteria below:
Evaluation/scoring
Automatic decision with legal or similar effect
Systematic monitoring
Sensitive data
Large scale
Cross-referencing of data
Vulnerable persons
Innovative use
Blocking a right/contract
When should I do a PIA?
Before the implementation of the processing
Privacy by design principle
Tool to help you decide on the implementation of the processing
Allows to anticipate compliance costs
Must be done for existing processing
PIA is an ongoing process:
PIAs should be reviewed regularly
A good practice is to update it every 3 to 5 years
In any case, as soon as a change occurs in the processing
How to make a PIA?
By first assessing the measures of necessity and proportionality. This is a thorough examination of the processing from every angle!
You have to ask yourself questions and explain your choices on the following aspects of the processing:
Purposes: determined, explicit and legitimate
Basis: lawfulness of processing, prohibition of purpose creep
Data minimization: adequate, relevant and limited
Data quality: accurate and kept up to date
Retention periods: limited
Then by detailing the measures to protect the rights of the persons:
information of the persons concerned
collection of consent, if necessary
exercise of the rights of access and portability
exercise of the rights of rectification and erasure
exercise of the rights to limit processing and to object
relations with processors
safeguards surrounding the international transfer(s)
It's necessary to use sectoral reference systems, codes of conduct, labels and brands.
And finally, analyze the risks for the individuals concerned: potential privacy breaches
For each feared event (illegitimate access to data, unwanted modification of data and disappearance of data):
determine the potential impact on the privacy of data subjects if it were to occur;
estimate the severity of the event, including the harmfulness of the potential impacts and, if applicable, the measures that could modify them;
identify the threats to data carriers that could lead to this feared event and the sources of risk that could cause it;
estimate its likelihood, particularly in terms of the vulnerabilities of the data carriers, the capabilities of the risk sources to exploit them, and the measures that could modify them.
Determine whether the initial risks can be considered acceptable given the existing or planned measures.
If not, propose additional measures and re-evaluate the level of risk in light of these measures to determine the residual risk.
Who is involved?
The data controller (DC)
The Data Controller's teams, including the teams of the business line concerned (MOA, MOE), the compliance officers, the legal teams
The DC can delegate to external advisors but this remains under his responsibility
The DPO
Advice and verification of execution, evaluation of measures and residual risks, suggests the PIA
Data subjects (or their representatives), if applicable
Their opinion can be taken and documented
The processors
Assistance and provision of information
The CISO or the IT department
Proposal to conduct a DPIA, assistance
For more informations
Impact analysisAudits and DPIAAttach a risk to a processing activityDernière mise à jour