In our webinar, “Does the GDPR Require PIA’s? Only Sometimes”, we discussed the GDPR’s requirements, as well as a next generation approach to Privacy Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA), which is called an Accountability PIA. An “Accountability PIA” operationalizes governance on a project-level and extends the functionality and value of a PIA beyond its traditional use. Before discussing the details of an Accountability PIA it is useful to review the traditional approach to PIA’s and the requirements for DPIA’s under the GDPR.
The Traditional Approach to PIA
A Privacy Impact Assessment (PIA) is a methodology for assessing the impact of a project, policy, program, service, product, or other initiative, on privacy. A PIA also involves working with stakeholders within the business, to take remedial actions, as necessary, to avoid or minimise negative impacts.
In short, a PIA can be described as a process to to mitigate privacy and data protection risk and help enable compliance.
PIAs have been mandatory in the public sector in many countries for many decades, and have become increasingly common in the private sector in recent years. From 2018, the GDPR requires that a Data Protection Impact Assessment (DPIA) be completed, though only under certain circumstances.
It is worth noting that currently, the terms DPIA and PIA are used interchangeably. That being said, the team at Nymity believes that in the near future, the terminology will be used to differentiate between a accountability exercise (PIA), and a in case of high risk data processing operations (DPIA) that is legally mandated by the GDPR.
When should I conduct a DPIA?
The Data Protection Impact Assessment is addressed in Article 35 of the GDPR, stating that a DPIA is necessary only for high-risk scenarios. This means that a DPIA will not need to be carried out for each and every project.
The Article 29 Working Party (the assembly of EU data protection authorities) has published draft guidelines (WP248 – Guidelines on DPIA), containing a flow chart to determine whether processing “is likely to result in high risk” as described in the GDPR. This is a helpful visual to use when considering if your own project requires a DPIA:
A new approach to DPIA's: The Accountability DPIA
At Nymity, our research has shown that companies can leverage investments they have made in accountability by operationalizing existing “accountability mechanisms” at the project level. Accountability mechanisms are mechanisms that organizations implement to mitigate privacy risk, for example, policies, procedures, guidelines, checklists, training and awareness programs, and technical safeguards and measures.
The new approach also can save resources by combining the DPIA and the Article 30 Record of Processing Activities requirements.
Our recent Whitepaper, “The Next Generation Privacy Impact Assessment” outlines our research on this approach, and can be downloaded at: http://www.nymity.com/next-generation-pia.aspx.
Our accountability-based PIA approach contains three steps:
- Identify the benefits of data use to individuals
We start the process by identifying the benefits of data processing to individuals. This simple step enables the business to do more processing, better regulatory reporting and ultimately provides more benefits to data subjects.
This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.*
- Mitigate risks with accountability mechanisms
Accountability mechanisms provide instructions, guidelines, and rules for processing personal data. These mechanisms are developed by asking questions, and using a “privacy by design” approach to develop risk mitigation at the beginning that is naturally built into the products and processes.
- Assess effectiveness of the process
In a traditional PIA, the “assessment” phase takes place after the data gathering phase, and typically involves the identification of “gaps” in which risk is highlighted and remediation steps are identified. In an Accountability PIA, the assessment takes place after the risk is mitigated, providing a more powerful line of sight on the effectiveness of the mitigation techniques.
This next generation PIA approach enables the process to make better use of resources, be much more scalable and provide higher assurances that risk is mitigated effectively. If subject to the GDPR, the approach will also produce your Article 30 records of processing. In this respect, it is easy to see how conducting a accountability PIA can produce beneficial results on a number of different levels beyond simple data protection.
How Nymity Helps
Nymity has years of experience supporting the privacy office in operationalising compliance and meeting the requirements of data protection and privacy legislation. Our SmartPIA™ software solution takes a privacy by design approach, mitigating risk prior to conducting assessments. Not only do organisations satisfy DPIA requirements, the SmartPIA also produces their Record of Processing Reports making GDPR compliance easily demonstrated.
To learn more about the Nymity Accountability PIA, you can request a demo today on our website, at: https://www.nymity.com/products/expertpia.aspx.
Elizabeth Denham. Information Commissioner’s Office Blog. August 9, 2017.