Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs)
What is a privacy impact assessment (PIA)?
A PIA is a privacy risk mitigation tool that helps to identify projects’ potential effects on individual privacy and compliance with data protection legislation, and to examine how detrimental effects might be overcome.
According to the Information Commissioner’s Office’s PIA code of practice, “An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.”
What is an EU GDPR data protection impact assessment (DPIA)?
Under the new EU General Data Protection Regulation (GDPR), data controllers must carry out data protection impact assessments (DPIAs) to “evaluate, in particular, the origin, nature, particularity and severity” of the “risk to the rights and freedoms of natural persons” before processing personally identifiable information. The DPIA “should include the measures, safeguards and mechanisms envisaged for mitigating” the identified risks.
A DPIA, then, is essentially a PIA by a different name.
Why is a PIA/DPIA needed?
A PIA/DPIA will reduce a project’s privacy risks. An impact assessment helps to identify and address risks at an early stage by analysing how the proposed uses of personal information and technology will work in practice, and proposing methods to mitigate identified risks.
What do PIAs/DPIAs require an organisation to do?
PIAs/DPIAs require an organisation to document:
what kind of personal information will be collected in the project;
how it is collected, used, transmitted and stored;
how and why it can be shared; and
how it is protected from inappropriate disclosure at each step.
When should PIAs/DPIAs be conducted?
PIAs should be carried out when new projects are planned, or when planning revisions to existing practices. According to the ICO, businesses conducting PIAs should ensure that their project plans are flexible enough to allow for changes if the PIA identifies any privacy issues that need to be addressed.
When is a PIA needed?
According to the ICO, when a business plans to:
embark on a new project involving the use of personal data;
introduce new IT systems for storing and accessing personal information;
participate in a new data-sharing initiative with other organisations;
initiates actions based on a policy of identifying particular demographics;
use existing data for a “new and unexpected or more intrusive purpose”.
When is a DPIA needed?
According to the GDPR, a DPIA should focus “on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes”.
DPIAs should be carried out:
“prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk”;
“where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures”;
“for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale”;
“where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity”.
For more information on the GDPR, see our main GDPR information page >>
Who is required to conduct PIAs?
Government departments in the UK are required to conduct PIAs. While there is no statutory requirement for a PIA to be developed, the government has chosen to do so in the interests of best practice. The ICO has issued guidelines for conducting PIAs as an element of good privacy management practice. Reforms to EU data protection law could see PIAs become mandatory for certain kinds of personal data processing.
What is ‘privacy by design’?
PIAs are an integral part of taking a privacy by design approach.
Privacy by design means that privacy issues are considered and embedded into a programme’s design from an early stage.
What are the benefits of privacy by design?
Taking a privacy by design approach is important for reducing privacy risks and building trust. According to the ICO, designing projects, processes, products or systems with privacy in mind can lead to the following benefits:
Potential problems are identified at an early stage.
Addressing problems early will often be simpler and less costly.
Increased awareness of privacy and data protection across the organisation.
Organisations are more likely to meet their legal obligations.
Organisations will be less likely to breach the Data Protection Act.
Actions are less likely to be privacy intrusive and have a negative impact on individuals.