On 17 March, the Spanish data protection agency (la Agencia Española de Protección de Datos - AEPD) published a draft privacy impact assessment guide (Evaluación del Impacto en materia de Protección de Datos Personales). At the same time, the AEPD has initiated a public consultation, open until 25 April, to garner opinion and comments on the guide, after which they will issue a final version.
The guide sets out a framework to improve privacy and data protection in relation to an organisation’s technological developments, with the aim of helping them identify, address and minimise data protection risks prior to the implementation of a new product or service.
In this draft guide, the AEPD comments on the increasing importance for organisations to demonstrate their commitment to the rights of individuals whose personal data they process, and in meeting their legal obligations (essentially advocating the principle of accountability). In this regard, they advise that a developed privacy impact assessment will go a long way in evidencing an organisation’s good diligence, as well as assisting it to develop appropriate methods and procedures for addressing privacy risks.
It is not suggested, however, that the guide will provide the only methodology for carrying out a privacy impact assessment. Indeed, the AEPD says that they would be receptive to organisations who wish to develop an assessment specifically adapted to their business or sector, and they would be open to providing such organisations with guidance to ensure that they meet the minimum regulatory requirements.
As well as providing general guidance on privacy impact assessments, the guide sets out a set of basic questions, together with an ‘evaluation’ tool developed by the AEPD, whereby organisations can ‘check off’ and determine the legal obligations that must be met in order to implement their intended product or service in compliance with data protection legislation.
While this privacy impact assessment is not obligatory in Spain, this type of compliance review could become a legal requirement across the EU if the European Regulation on Data Protection remains as currently drafted (Article 33).