By May 2018, Data Protection Impact Assessments will be compulsory for a number of organisations.
Also known as a Privacy Impact Assessment (“PIA”), PIAs are compulsory under the new EU General Data Protection Regulation (“GDPR”) where a “type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operation on the protection of personal data”.
So what does this mean?
A PIA is essentially a risk assessment of proposed processing of personal data. If your organisation is processing personal data that is likely to result in a high risk to the data subject’s rights, a PIA must be carried out prior to commencing that processing.
When do I need to carry out a PIA?
In addition to where there is a high risk to the data subject’s rights, a PIA is mandatory in the following situations:
- Where there is systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
Who does this apply to? E.g. financial institutions who conduct automated loan approvals, data analytic providers, online marketing companies, and search engines with target marketing facilities.
- Processing on a large scale of sensitive personal data and personal data relating to criminal convictions and offences.
Who does this apply to? E.g. Healthcare providers, insurance companies.
- Systematic monitoring of a publicly accessible area on a large scale
Who does this apply to? E.g. local authorities with CCTV in public areas, leisure industry operator with CCTV outside nightclubs, bars, restaurants and shopping centres.
As a data controller or processor, you must consult with the Supervisory Authority prior to processing where a PIA indicates that the processing would result in a high risk to the safety of the personal data. When the Supervisory Authority considers that the processing would infringe the GDPR, the Supervisory Authority shall provide written advice to the data controller or processor. As part of the consultation process the Supervisory Authority will require the following:
- The responsibilities of the controller and/or processor
- The purposes and means of the intended processing
- The measures and safeguards in place to protect the personal data
- Contact details for the Data Protection Officer (DPO)
How is a PIA carried out?
A PIA engagement can vary depending on the nature and complexity of the processing operations. The process typically involves several key stakeholders within an organisation and is overseen by an ‘internal sponsor’ who is either the current DPO or is intended to take up this role in the medium term. Prior to the commencement of a PIA, the following conditions and measures should be taken into account when determining the suitability and practice of the process:
- Where the processing is likely to give rise to a risk to the data
- The involvement of the DPO
- A systematic evaluation of proposed processing
- Identification of risk
- An outline of the measures being taken to mitigate those risk
- An outline of structures and measures planned to achieve compliance
- Where substantial risk is identified, the data controller must check with Supervisory Authority
A six-step process maps the lifecycle of the personal data in order to establish:
- The provenance of the data
- The manner of the processing involved
- The location of the processing
- The relevant stakeholders
- The deletion/anonymisation process
Step 1: Stakeholders, Systems and Entities
Compile a complete list of all relevant stakeholders, entities and system within in the organisation.
Step 2: Identify Processes
Compile a complete list of data management processes – a process is any event that is required to complete a business function.
Step 3: Workflow Analysis
For processes identified in Step 2, those parties conducting the PIA should then workflow each relevant process into appropriate ‘swim lanes’. Swim lanes graphically chart the flow of data into and out of the organisation.
Step 4: Data Protection Assessment
For each process identified in Step 3, the processing is categorised according to current and upcoming Data Protection legislation, areas of consideration and evaluation of potential risk.
Step 5: Risk Analysis
A Risk Register is created in parallel with Step 4 to measure risk against likelihood and severity.
Step 6: Implementation
An agreed implementation plan is formalised.
The PIA generates a finding report which identifies the high risk areas and provides specific recommendations as to how to remediate each risk. Moreover, a score card which measures the risks against likelihood and severity is also provided. This score card can be used as a benchmark to demonstrate progress and data protection capability improvement.
Where possible, throughout the report, practical recommendations are made as to how the participating organisation may improve its compliance with regard to national/supranational data protection legislation.
As noted above, a Risk Register is produced by the PIA. This is a living document containing specific details on the risk, recommendations, next steps, actions-to-date, and the risk rating itself. This part of the output documentation becomes the ‘active component’ which should be systematically monitored, reviewed and updated.
While PIAs will not be mandatory until May 2018, our advice is to now consider carrying out a PIA, as it will assist in getting your organisation ready for the GDPR and highlight what areas your organisation needs to focus on. Further, if your organisation comes to the attention of the Office of the Data Protection Commissioner, your PIA will be your first line of defence.
Failure to meet your PIA obligations under the GDPR could result in fines of up to €10 million or 2% of the total worldwide annual turnover for the preceding financial year, whichever is the higher.
John Ghent, Sytorus