Further to the Spanish Data Protection Agency ("SDPA"), a Privacy Impact Assessment (PIA) is, an "analysis of the risks that a certain information system, product or service may entail for the fundamental right of data protection and, after that analysis, looking for the best way to manage the identified risks, to adopt the appropriate measures to eliminate or mitigate them." The SDPA has published a guide with the aim to promote PIAs and a"privacy proactive culture", giving a reference procedure to evaluate and prevent privacy risks".
The SPDA believes that carrying out a PIA provides additional guarantees and promotes users and consumers' confidence. They also allow companies to identify and correct possible risks at the early stages of a project, avoiding future costs and even potential privacy rights breaches. The company's reputation will also avoid the negative consequences that privacy infringements could have to its reputation.
There is currently no legal obligation under Spanish law to perform a PIA however the current version of the European Proposal for a new Data Protection Regulation includes the obligation to carry out a data protection impact assessment prior to developing processing operations that are considered risky. Nevertheless, the Guide explains that implementing PIAs may be taken into account by the SDPA as an important element to evaluate if the processing operations are diligent and compliant which, in the framework of a data breach or a sanctioning procedure, may be regarded as a mitigation measure.
The Guide specifically recommends carrying out a PIA prior to processing operations related to Big data, Internet of Things or the development and construction of smart cities; when minors' personal data are being processed, particularly if they are under fourteen; when privacy invasive technologies are used such as, video surveillance or when an international transfer of data is necessary. The SPDA also recommends PIAs if a massive and systematic processing of specially protected data is to be performed, or when non dissociated or non-anonymized data are being processed with statistical, historical or scientific investigation purposes. PIAs are also advisable when a large number of people are affected by processing operations and in those cases in which there is an accumulation of personal data. A PIA is also recommended if the way the data subjects are going to be contacted might be considered especially intrusive, if data are to be assigned to third parties and if profiling activities are to be carried out. Finally, it is also recommended when existent information is to be enriched by collecting new categories of data or the existing data are used for different purposes, particularly if those uses are more intrusive or unexpected for the affected subjects.
The SDPA has also underlined that the scope of the PIA will depend on the envisaged specific data processing operation. Thus the system designed by the Guide should be adapted to the particular needs and characteristics of each sector and each organization. As stated by the SDPA "not every PIA needs to be carried out with the same intensity and the same depth. While some cases allow a least exhaustive and formal procedure, in other situations additional actions would be required to address the complexity or importance of the existing risks".
According to the SDPA a PIA project should include the following phases:
- Need analysis: evaluation of the convenience of carrying out a PIA.
- Project and information flows description: In depth analysis of the project to identify the category of data processed, the data users, information and data flows and the technologies used for the processing.
- Risk identification: Analysis of the possible risks for data protection and privacy, evaluation of the probability of those risks materializing and the assessment of the damage they could cause.
- Management of risks: Decision on the controls and measures to be implemented to eliminate, mitigate, transfer or accept the identified risks.
- Regulations compliance analysis: Verification of the compliance with data protection legal requirements, both general and sector-based.
- Final report: Issuing a detailed report summarizing the identified risks and the proposed solutions to mitigate or eliminate them. This report should be generally addressed to the direction of the organization carrying out the PIA.
- Implementation of recommendations: The decision regarding the recommendations given in the final report and the actions to be taken shall be reported to the direction of the organization. An allocation of resources and the appointment of a person responsible of implementing them are necessary.
- Review and feedback: Analysis of the final result to control the effectiveness of the PIA and to check if there are any new risks. These results are used as feedback regarding the PIA and to update it when necessary.
The SDPA's Guide also contains a series of questions which allow entities to check their level of legal compliance, regarding aspects such as the transparency of data processing or security measures. The Guide also encloses templates to organize data on information flows and risk identification and management, as well as another template of the PIA's final report.