Privacy Impact Assessments… the sooner, the better!
The European Commission is currently revisiting the EU Data Protection Framework in order to provide more safeguards for online privacy rights. One of the important aspects being re-examined relates to privacy impact assessments ("PIAs"). According to the UK ICO, a PIA is "a process which helps an organization to identify and reduce the privacy risks of a project. An effective PIA will be used throughout the development and implementation of a project, using existing project management processes. A PIA enables an organization to systematically and thoroughly analyze how a particular project or system will affect the privacy of the individuals involved."
To this day, many countries still do not regard this type of compliance process as a mandatory practice. In Spain for instance, the Spanish Data Protection Law does not currently require companies to conduct PIAs before launching a new product or service that might have privacy implications. The performance of PIAs, however, might become mandatory under the long-awaited European Regulation on Data Protection.
The sooner companies integrate PIAs as a necessary step in their think-and-design process for new products and services, the better it will be to improve compliance with privacy requirements. It will avoid the need to redesign a product or service which might be deemed non-compliant at a later stage. It will eliminate the task of remedying a company's damaged reputation against news brought about by a problematic product or service. In addition, it will also preclude the lengthy and arduous task of preparing a response to complaints that may arise.
The Spanish Data Protection Authority ("SDPA") recently published a 70-page guide (in Spanish), which is publicly available on the SDPA's website. The goal is to promote a proactive privacy protection culture and provide guidance to companies in implementing PIAs as a necessary step in their internal processes.
The SDPA's guide identifies several stages for the PIAs, which are listed and briefly described below:
1. Need analysis -- Evaluation to assess the convenience of implementing a PIA on a certain product or service.
2. PIA team -- Formation of an interdisciplinary working group that will be responsible for the PIA performance and for ensuring regular dialogues with the project manager and company management.
3. Project description and information flows -- Analysis of the project that provides details of the categories of personal data processed, the data users, information flow diagrams, and the
4. Risk identification -- Analysis of the potential risks to data protection and privacy of the covered individuals and assessment of the likelihood of potential damages if risks should materialize.
5. Stakeholder engagement -- Consultation with a wide range of interested internal and external parties to collect their views and opinions.
6. Management of risks identified -- Specification of controls and measures to be implemented for the elimination, mitigation, transfer or acceptance of the risks identified.
7. Legal compliance assessment -- Evaluation of whether the product or service, which is in the design stage, complies with legal data protection requirements.
8. Final report -- Detailed list of the risks identified and the recommendations proposed to eliminate or mitigate the risks, which will be submitted to the company management.
9. Recommendations for implementation – Decision-making regarding the recommendations in the final report and the actions to be taken, including the provision of resources for implementation and appointment of a person in charge of implementation.
10. Review and feedback -- Analysis of the final results to check the effectiveness of the PIA performed and to verify whether there are any new risks.
Conducting a PIA provides additional guarantees and promotes users and consumers' confidence. It allows companies to identify and remedy possible risks early on, which will then avoid or mitigate unnecessary costs and eliminate potential breaches of privacy rights. With this, it is highly recommended for organizations to look closely at their internal processes, and ensure that while developing its products or services, privacy compliance is a key consideration.
Baker & McKenzie, Barcelona
+34 93 206 08 54