With GDPR looming, businesses need effective tools to help them ensure they meet their obligations under the legislation. That sounds tough, but actually the ICO had already included one particularly crucial tool within its remit under the Data Protection Act, the PIA – Privacy Impact Assessment. The approach that GDPR has taken on data protection has seen the introduction of a slightly extended version, the Data Protection Impact Assessment (DPIA). Essentially, however, a PIA and a DPIA are the same thing.
For some organisations, DPIAs are going to become compulsory. For others, the powers-that-be will deem them so anyway. But that’s not a reason to loathe this new kid on the block. In fact, it’s a reason to welcome both versions with open arms…
What is a PIA/DPIA?
A PIA/DPIA is a means by which an organisation can identify the most effective way to both meet their data protection obligations, and ensure individuals’ privacy. You could say it’s effectively a risk assessment that’s carried out very early on in any project with regard to the processing of personal data element.
This means a PIA/DPIA isn’t just a form to be filled, it’s a process. It’s used at the beginning, the middle, and at the end. As the ICO says, “A PIA enables an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved.” (ICO’s “PIA Code of Practice”, Chapter 1).
What is meant by ‘a project’?
It’s important to know the answer to this question, because the term project isn’t being used in the traditional sense that project management methodologies use. With regard to data protection, a project is a broad term that covers any plan or proposal which will include the use of personal data. The purpose is always to ensure that privacy risks are brought to a minimum.
When must a PIA/DPIA be carried out?
If a PIA/DPIA is a required, it must be carried out before the processing of any personal data takes place.
According to the ICO, a PIA is required if an organisation:
- Is planning to embark on a new project involving the use of personal data.
- Is looking to introduce new IT systems for storing and accessing personal information.
- Is considering a data-sharing initiative with other organisations.
- Takes action as a result of identifying particular demographics.
- Intends to use existing data for a “new and unexpected or more intrusive purpose”.
The EU GDPR legislation then extends this, and a DPIA is required when the processing of personal data is likely to mean there is a high risk to an individual’s rights. But there’s a bit more to it than that, as you’d expect. For example:
- When the extensive evaluation of personal data occurs on an automated basis, eg. Search engines with target marketing applications.
- When sensitive data that relates to criminal offences and convictions is processed on a large scale.
- When a publicly accessible area is systematically monitored, eg. CCTV in a park
This may all sound a bit heavy handed, but there is an upside to the process.
The benefits of a PIA/DPIA
PIAs/DPIAs are a key tool for facilitating privacy by design; one of the main tenets of GDPR. It ensures that issues regarding the privacy of individuals, with respect to the use/storage of their data, are considered right from the start of a project… and then on an ongoing basis. This means, first and foremost therefore, that conducting a PIA/DPIA is a way of being able to clearly demonstrate your organisation is complying with GDPR. But there are additional benefits too:
- It protects an organisation against unintended data protection risks.
- It reduces the operating costs of a project by optimising the information flow and removing the wasted time of collecting and processing unnecessary data.
- It reduces the costs related to tackling data issues once a project has been initiated.
- It inspires confidence in the organisation, both amongst employees and the public.
If the subject of PIAs and DPIAs has caught your attention, at Virtual ROI we don’t just run informative seminars on the subject, we also offer consulting help. If you have any concerns regarding how to run projects that meet GDPR requirements, we’re here to help, support and provide guidance.