Privacy Impact Assessments: A software tool by the French DPA

The French Data Protection Authority, Commission Nationale Informatique et Liberte (CNIL), released a tool to support data controllers to be compliant with the upcoming General Data Protection Regulation (GDPR). The tool is aimed at automating the obligatory assessments of risk posed by data protection activities to the rights and freedoms of data subjects according to Article 35 GDPR. The aforementioned Article 35 GDPR concerns the so-called Privacy Impact assessments (PIAs), a self-regulatory instrument to be carried out by the company (controller) processing the data.  PIAs are replacing the instrument of prior checking by the Data Protection Authorities (DPAs) according to Article 20 of the Data Protection Directive (95/46/EC), an instrument that due to the limited resources of DPAs was falling short of actually increasing the privacy for data subjects.

The new regime located in Article 35 GDPR requires controllers to assess the risk in a self-assessment. In case a high risk to the rights and freedoms of the data subject is determined and cannot be mitigated by adequate technical and organizational measures (TOMs), an obligation to inform the DPAs according to Article 36 GDPR arises. Unfortunately, the GDPR provisions as well as recitals are ambiguous to which methodology should be applied to carry out a PIA.

The just released tool by CNIL is the first software tool to carry out PIAs officially developed and disseminated by a DPA. The software runs on Windows as well as Mac operation systems, is free of charge and open source. The CNIL is promoting the collaboration and development of the tool through participations via GitHub.

The tool is divided into three sections: context of the processing activity, fundamental principles, and the actual risk assessment. These three sections are followed by an automated validation section comprising of risk mapping, an action plan and a way to file the PIA with the respective DPA.

If you are interested to try it yourself you can find the tool on the website of the CNIL here.  The tool is definitely a step into the right direction, although it is still leaves open the question by which TOMs certain risk levels can be mitigated, an issue the German Standard Data Protection Model recently set out to solve.