PIAs and GDPR DPIAs – A Best Practice Guide

Unpacking the Details of the New GDPR Change

Under the GDPR, a significant new change is a requirement for companies to conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities; it is the first regulation to mandate that private sector organizations conduct these assessments. While some companies have voluntarily conducted privacy impact assessments (PIAs) in the past, for many, these assessments are unfamiliar territory. Knowing the difference between the two is critical for determining whether or not a DPIA is required to comply with GDPR.

The EU General Data Protection Regulation (GDPR) is the next evolution in data privacy protection, which will align data privacy laws across Europe and change how companies in the U.S. and abroad tackle data privacy. A significant change that the GDPR will bring is the requirement for companies to conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities. The GDPR is the first regulation to mandate that private sector organizations conduct these assessments. While some companies have voluntarily conducted privacy impact assessments (PIAs) in the past, for many, these assessments are unfamiliar territory.

Often used interchangeably, the two assessment tools address very different requirements contingent on varying levels of data processing risk and complexity. In preparing for the May 25, 2018^[1] deadline, knowing the difference between the two is critical for determining whether or not a DPIA is required to comply with GDPR.

What is a Privacy Impact Assessment?

A PIA is a tool that can be used to identify and mitigate risk associated with a product, service, business process or other organizational change.

PIAs support the implementation of privacy by design and are typically conducted early on in a project cycle so that any identified privacy requirements can be built in before the project goes into production. For instance, PIAs are typically conducted before a new product launches, a new business process is implemented, a new company is acquired, existing products, processes or systems are changed or when a company expands the countries in which it conducts business.

Depending on the risk level involved, an organization may choose to conduct a more or less comprehensive PIA.

What is a Data Protection Impact Assessment?

A DPIA is designed to help an organization assess the risks associated with data processing activities that could compromise the rights and freedoms of individuals.^[2]

The GDPR does not specifically list the types of processing that are likely to result in such risk; however, it does indicate examples of adverse outcomes to individuals that may result from such processing, such as identity theft or fraud, and discrimination and financial loss.^[3] Serving as some guidance, the EU Article 29 Working Party (A29) has defined nine criteria for high-risk processing. The categories include:

• Evaluation or scoring
• Automated decision making that has legal effects
• Systematic monitoring
• Processing of sensitive data
• Data about vulnerable subjects
• Data on a large scale
• Datasets that have been matched or combined
• Development of new technology or innovative use of existing technology
• Processing that prevents individuals from exercising a right or using a service or contract

Similarly, the GDPR only provides a general description of how DPIAs are to be conducted. Article 35, however, provides four elements that a DPIA assessment must contain^[4]: (1) a systematic description of the processing operations and their purposes; (2) an assessment of the necessity and proportionality; (3) an assessment of the risks; and (4) the measures needed to address the risks.

PIAs and DPIAs: Similarities and Differences

An organization may use a DPIA, even if a DPIA is not required, to conduct an assessment to ensure the required data protection controls are in place and to demonstrate compliance with GDPR requirements. DPIAs are required of organizations acting as Data Controllers. Data Processors may also use DPIAs to assess whether they are processing data in a manner that supports the Controller in meeting its compliance obligations under the GDPR.

Both PIAs and DPIAs enable organizations to identify the controls needed to address and reduce risk — be it a risk to the rights of individuals, a compliance risk of the organization or both. PIAs and DPIAs differ, though, in their assessment goals.

PIAs focus on assessing the compliance controls, associated technical requirements and on identifying organizational risk. Assessing whether the appropriate technical requirements are in place helps determine whether the organization is complying with applicable laws, regulations and industry standards. Identifying organizational risk helps by identifying potential issues and impact of non-compliance and providing mechanisms to monitor whether those issues have been remediated. Examples of such mitigation include: updating privacy notices as necessary, honoring opt-outs, maintaining a security program and having an incident response plan in place to respond to data breaches.

In contrast, DPIAs go beyond assessing compliance with technical requirements by evaluating the inherent privacy risks to individuals and determining the sufficiency of the control for mitigating those risks. DPIAs enable organizations to examine whether the processing of data will create value for society and individuals.

Determining When a DPIA is Required

Before commencing a DPIA, it is essential to have a picture of what information your organization has, where that data is located, and how it flows through the organization. With that in mind, it is important to develop a data inventory and map the organization’s business process flows, systems and vendors.

An organization’s data inventory should include the name of the business process, the processing activities involved, what data elements are required for the processing activity and their sensitivity, what systems are involved and what third-parties are involved. The inventory can be used to understand the flow of the data—including its origin, the systems in which the data is processed and transfers to third-parties or organizational affiliates.

The information included in the data inventory is required to complete the DPIA and determine the inherent risk of the processing and the controls that are needed to ensure the appropriate data protections are in place to protect the rights of individuals. For example, if an organization is conducting systematic monitoring of its employees, the DPIA will be used to calculate an inherent risk associated with the processing, evaluate the effectiveness the organization’s controls around data necessity, data use, retention and disposal and security and determine the residual risk associated with the processing.

Best Practices When Implementing a DPIA Process

DPIAs need to be conducted according to a documented process to ensure consistency. Many organizations lack a defined process, or conduct assessments on an ad hoc basis, using spreadsheets and email. This is time-consuming and costly. Maintaining documentation to demonstrate accountability, and to manage data processing changes across business process and system lifecycles are also difficult when information is stored in various systems across multiple stakeholders.

Organizations should develop and follow a process that makes sense for their size, type of processing, and resources. The following sample process is one that can be adapted to suit the size and complexity of an organization:

• Build the PIA/DPIA process through documented methodology, including any supporting systems.
• Implement the PIA/DPIA process by providing awareness of the process and engaging stakeholders to participate in the process.
• Assess business activities by following the PIA/DPIA process methodology
• Manage completion of any remediation and any changes to those business activities by following the PIA/DPIA process methodology
• Demonstrate compliance and effective risk management through reliable evidence of the PIA/DPIA process and outcomes.

Relying on a consistent and well-documented DPIA process will make identifying issues and risks that require remediation easier and more efficient. Under the forcing function of GDPR and in today’s data-driven business environment, documentation has become critical. Privacy professionals are increasingly moving to technology solutions to ensure business continuity while demonstrating compliance by operationally tracking and reporting their privacy compliance. With previous privacy regulations, it was enough for businesses to claim that they are compliant. Leveraging a technology platform with built-in DPIA templates and other solutions that help with GDPR compliance will allow organizations to implement an effective and robust DPIA assessment process – thereby strengthening their overall GDPR readiness.

###

^[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Official Journal L. 2016;119(1).

^[2] GDPR Article 35(1), illustrated by Article 35(3) and complemented by Article 35(4).

^[3] See GDPR Recital 75; Fla. Stat. Ann. §501.171; Ind. Code §24- 4.9.

^[4] Article 29 Data Protection Working Party. (2017). WP 248: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purpose of Regulation 2016/679. Annex 2. Retrieved from http://ec.europa.eu/newsroom/document.cfm?doc_id=47711