If you work in a company in the European Union or the UK you have probably heard your fair share about data protection. From HR to Sales, personal data infiltrates almost every aspect of a company. One of the biggest tasks under the General Data Protection Regulation (GDPR) is collecting all the information required and compiling it into a form that is compliant, functional and effective.
Privacy Impact Assessments (PIAs)
Under Art. 30 GDPR any company which processes personal data must create and maintain a Record of Processing Activities (ROPA). Within this record all processing activities where personal data is processed must be listed. Along with the name of the processing activity the following must be provided:
- Information about the controller/s;
- the purposes of the processing;
- categories of data subjects;
- categories of personal data;
- categories of third-party recipients;
- transfers to a third country or an international organization and the documentation of suitable safeguards;
- retention periods; and
- a description of the technical and organizational measures (TOMs).
These entries into the ROPA are, along with an assessment of compliance with the regulation, considered Privacy Impact Assessments (PIAs). They are all about analyzing how an entity collects, uses, shares, and maintains personally identifiable information, related to existing risks. PIAs are required for all processing activities taking place within an organization where personal data is processed and are instrumental in a company implementing privacy by design. The information obtained through conducting a PIA provides the information a company requires to establish policies which control company culture and the privacy of personal data being processed.
Data Protection Impact Assessments (DPIAs)
In some cases, PIAs are confused with Data Protection Impact Assessments (DPIAs) referred to in Art. 35 GDPR. However, the two are different. A DPIA is all about identifying and minimizing risks associated with the processing of personal data and are required only in certain circumstances.
Expanding on the guidance provided in GDPR Recital 90 the UK’s Information Commissioner’s Office (ICO) stated that DPIAs must:
- describe the nature, scope, context and purpose of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
According to GDPR Recital 84, “The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation.”
In order to make this process a little easier GDPR Recital 91 provides guidance regarding when such an assessment is required. These situations include where:
- a considerable amount of personal data is processed;
- a new technology is used;
- profiling occurs; or
- monitoring in public areas takes place.
These situations must be combined with the fact that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in order for a DPIA to be required. In order to simplify the “necessity assessment” Art. 35 para. 4 GDPR provides that the supervisory authority should create a white- and blacklist listing processing activities exempt from and subject to a DPIA. Currently each country in the EU has their own list whether it be a whitelist or a blacklist or both, one consolidated list is not currently available.
A two-step process
Looking at the required information for each assessment, you can view them as a two-step process to compliance with the GDPR. Phase one, the PIA, completed for every instance of processing where personal data is involved and phase two, the DPIA, completed only if the initial PIA indicates that the relevant activities present a heightened risk or is specifically required by the authorities.
As privacy counsel it is extremely important to understand the difference between the two different analysis and to be able to explain such difference to clients. In English, only a Data Protection Impact Assessment is named in the actual text of the GDPR. However, in other places the two terms are sometimes stated to be able to be used interchangeably. However, as mentioned above a PIA is required for all processing activities involving personal data and can be completed in a short and concise form. DPIAs on the other hand are required only for certain processing activities and should provide more in-depth information regarding the processing and the way in which the organization minimizes the risks to data subjects associated with the processing of their personal data in this manner.