At the Information Commissioner’s annual conference two interactive workshops discussed PIA. The feedback recently received by the ICO indicates that the main challenges faced by data protection officers when conducting PIAs is a lack of senior level “buy in” in many organisations, both public and private sector. This issue appeared to have a knock on effect, “causing a general malaise across organisations in terms of the PIA process, putting real pressure on those responsible for leading on this important compliance work.”
The ICO discovered a general lack of understanding in some organisations in relation to PIA’s and processing personal data leaving those responsible for producing PIA’s with challenges in terms of carrying out appropriate risk assessments.
It was also felt by delegates that the lack of senior level “buy in” meant limited resourcing for those responsible for data protection compliance and specifically PIA’s.
The ICO reminds businesses in its recent report that the mandatory requirement to undertake a data Privacy Impact Assessment under the GDPR may resolve some of the issues above but the feedback from conference delegates will be included in future guidance to organisations.
The Article 29 Data Protection Working Party is also considering guidance on DPIA’s.