• PRO
  • Events
  • About Blog Popular
  • Login
  • Register
  • PRO
  • Resources
    • Latest updates
    • Q&A
    • In-depth
    • In-house view
    • Practical resources
    • FromCounsel New
    • Commentary
  • Research tools
    • Global research hub
    • Lexy
    • Primary sources
    • Scanner
    • Research reports
  • Resources
  • Research tools
  • Learn
    • All
    • Masterclasses
    • Videos
  • Learn
  • Experts
    • Find experts
    • Influencers
    • Client Choice New
    • Firms
    • About
    Introducing Instruct Counsel
    The next generation search tool for finding the right lawyer for you.
  • Experts
  • My newsfeed
  • Events
  • About
  • Blog
  • Popular
  • Find experts
  • Influencers
  • Client Choice New
  • Firms
  • About
Introducing Instruct Counsel
The next generation search tool for finding the right lawyer for you.
  • Compare
  • Topics
  • Interviews
  • Guides

Analytics

Review your content's performance and reach.

  • Analytics dashboard
  • Top articles
  • Top authors
  • Who's reading?

Content Development

Become your target audience’s go-to resource for today’s hottest topics.

  • Trending Topics
  • Discover Content
  • Horizons
  • Ideation

Client Intelligence

Understand your clients’ strategies and the most pressing issues they are facing.

  • Track Sectors
  • Track Clients
  • Mandates
  • Discover Companies
  • Reports Centre

Competitor Intelligence

Keep a step ahead of your key competitors and benchmark against them.

  • Benchmarking
  • Competitor Mandates
Home

Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like
  • Instruct

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Register now for your free, tailored, daily legal newsfeed service.

Questions? Please contact [email protected]

Register

Privacy Impact Assessments… the sooner, the better!

Baker McKenzie

To view this article you need a PDF viewer such as Adobe Reader. Download Adobe Acrobat Reader

If you can't read this PDF, you can view its text here. Go back to the PDF .

European Union, Spain February 9 2015

Editorial
Privacy Impact Assessments… the sooner, the better!
The European Commission is currently revisiting the EU Data Protection Framework in order to provide more safeguards for online privacy rights. One of the important aspects being re-examined relates to privacy impact assessments ("PIAs"). According to the UK ICO, a PIA is "a process which helps an organization to identify and reduce the privacy risks of a project. An effective PIA will be used throughout the development and implementation of a project, using existing project management processes. A PIA enables an organization to systematically and thoroughly analyze how a particular project or system will affect the privacy of the individuals involved."
To this day, many countries still do not regard this type of compliance process as a mandatory practice. In Spain for instance, the Spanish Data Protection Law does not currently require companies to conduct PIAs before launching a new product or service that might have privacy implications. The performance of PIAs, however, might become mandatory under the long-awaited European Regulation on Data Protection.
The sooner companies integrate PIAs as a necessary step in their think-and-design process for new products and services, the better it will be to improve compliance with privacy requirements. It will avoid the need to redesign a product or service which might be deemed non-compliant at a later stage. It will eliminate the task of remedying a company's damaged reputation against news brought about by a problematic product or service. In addition, it will also preclude the lengthy and arduous task of preparing a response to complaints that may arise.
The Spanish Data Protection Authority ("SDPA") recently published a 70-page guide (in Spanish), which is publicly available on the SDPA's website. The goal is to promote a proactive privacy protection culture and provide guidance to companies in implementing PIAs as a necessary step in their internal processes.
The SDPA's guide identifies several stages for the PIAs, which are listed and briefly described below:
1. Need analysis -- Evaluation to assess the convenience of implementing a PIA on a certain product or service.
2. PIA team -- Formation of an interdisciplinary working group that will be responsible for the PIA performance and for ensuring regular dialogues with the project manager and company management.
3. Project description and information flows -- Analysis of the project that provides details of the categories of personal data processed, the data users, information flow diagrams, and the
technologies used.
4. Risk identification -- Analysis of the potential risks to data protection and privacy of the covered individuals and assessment of the likelihood of potential damages if risks should materialize.
5. Stakeholder engagement -- Consultation with a wide range of interested internal and external parties to collect their views and opinions.
6. Management of risks identified -- Specification of controls and measures to be implemented for the elimination, mitigation, transfer or acceptance of the risks identified.
7. Legal compliance assessment -- Evaluation of whether the product or service, which is in the design stage, complies with legal data protection requirements.
8. Final report -- Detailed list of the risks identified and the recommendations proposed to eliminate or mitigate the risks, which will be submitted to the company management.
9. Recommendations for implementation – Decision-making regarding the recommendations in the final report and the actions to be taken, including the provision of resources for implementation and appointment of a person in charge of implementation.
10. Review and feedback -- Analysis of the final results to check the effectiveness of the PIA performed and to verify whether there are any new risks.
Conducting a PIA provides additional guarantees and promotes users and consumers' confidence. It allows companies to identify and remedy possible risks early on, which will then avoid or mitigate unnecessary costs and eliminate potential breaches of privacy rights. With this, it is highly recommended for organizations to look closely at their internal processes, and ensure that while developing its products or services, privacy compliance is a key consideration.
Jordi Masdevall
Baker & McKenzie, Barcelona
+34 93 206 08 54

Content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee similar outcomes. For more information, please visit: www.bakermckenzie.com/en/client-resource-disclaimer.

Baker McKenzie - Jordi Masdevall

Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like
  • Instruct

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Filed under

  • European Union
  • Spain
  • IT & Data Protection
  • Baker McKenzie

Topics

  • Information privacy

Organisations

  • European Commission

Popular articles from this firm

  1. 144A vs REG S Only- considerations in high yield offerings *
  2. Data Protection Day - Key developments and trends for 2023 *
  3. Online Marketplaces - are you ready for the DSA? *
  4. The Year Ahead Global Disputes Forecast 2023 *
  5. Dutch Supreme Court confirms low standard of proof for intentional EU sanctions violations *

If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].

Powered by Lexology

Related practical resources PRO

  • How-to guide How-to guide: How to determine and apply relevant US privacy laws to your organization (USA) Recently updated
  • How-to guide How-to guide: How to develop, implement and maintain a US information and data security compliance program (USA) Recently updated
  • Checklist Checklist: When and how to appoint a data protection officer (UK)
View all

Related research hubs

  • European Commission
  • European Union
  • Spain
  • IT & Data Protection
Back to Top
Resources
  • Daily newsfeed
  • Commentary
  • Q&A
  • Research hubs
  • Learn
  • In-depth
  • Lexy: AI search
  • Scanner
Experts
  • Find experts
  • Legal Influencers
  • Firms
  • About Instruct Counsel
More
  • About us
  • Blog
  • Events
  • Popular
Legal
  • Terms of use
  • Cookies
  • Disclaimer
  • Privacy policy
Contact
  • Contact
  • RSS feeds
  • Submissions
 
  • Login
  • Register
  • Follow on Twitter
  • Follow on LinkedIn

© Copyright 2006 - 2023 Law Business Research

Law Business Research