DIGITAL TECHNOLOGY IS evolving in ways that enable more sophisticated processing and manipulation of data – and how organisations are allowed use information is also changing.
The impending arrival of the General Data Protection Regulation (GDPR) on 25 May – which includes the requirement of Privacy Impact Assessments, or PIAs – aims to ensure that the treatment of the key principles of data protection are upheld.
Recent revelations in the media have highlighted the importance of transparency and accountability when it comes to how organisations process data and the risks associated with it.
Processing data incorrectly and without consent, or for any valid legal basis, can not only discredit your brand and its integrity, but it can also destroy the loyalty and trust that your company has built with its customers.
That’s where PIAs come in.
What is a PIA?
A PIA is a risk-based assessment used to ensure that the rights and freedoms of data subjects – your customers or clients – are protected when any processing of their data is performed by an organisation.
They are compulsory as an element of GDPR and are important as they ensure that the rights and freedoms of individuals are respected.
There are a number of advantages for organisations that implement PIAs. Here are a few:
- Builds trust and transparency with data subjects and stakeholders
- Essential tool in minimising privacy and security risk
- Ensures practical implementation of privacy for businesses
- Key to increasing awareness of privacy across organisations
- Supports in identifying any data use concerns early in a project
- Organisation actions are less likely to be privacy intrusive or have any negative impacts on individuals
- Increases likelihood of GDPR compliance and other privacy regulations
Where high-risk data is accessed, a PIA is mandatory. Such high-risk processing has traditionally applied to several industry sectors, in particular, financial, healthcare and local government and can include processing of data where:
- Evaluation, scoring or automated decision-making is made on specific individuals
- Processing is used to monitor or control data subjects such as CCTV
- Large-scale processing takes place with a range of different data items processed for a long duration or involves a large geographical area
- Processing of personal data is matched from two or more sources that would exceed the reasonable expectations of the data subject
- Data subjects are vulnerable or disadvantaged in their ability to query or dispute the data processing
- Where new technologies are used that could be regarded as privacy intrusive
- Data is provided to ‘new’ individuals who did not have routine access to it previously
- Collection of new data about individuals is not already collected, and could be regarded as privacy intrusive
- Involves collection of data from minors under the age of 16
- If any sensitive categories of data are processed whether it involves data collected directly from individuals or from other sources
Once you have determined if a PIA is necessary for your organisation there are three main steps to follow:
1. Establish the context of processing
This involves assessing what data is being processed. There are a number of questions organisations must ask themselves:
- In what way is the data used and for what purpose?
- Is it necessary?
- Is it proportional and fair?
- What is the degree of technology use?
- Are we compliant with guidelines or relevant codes of conduct?
2. Assess those risks
What kind of risks are they? For example, is there a legal or non-compliance risk? What is the impact on individuals or organisations?
Once risks have been identified the next step is envisaging the measures required to demonstrate compliance and assessing risks to the rights and freedoms of the individuals.
3. Treat or minimise those risks
Outline measures envisaged to address the risks, include documentation requirements and monitoring and review details. Common fixes can include:
- Minimising or reducing personal data collected/processed
- Improving or updating communications or notifications to individuals
- Improving opt-in mechanisms for collection and improving collection transparency
- Improve safe and secure mechanisms
- Provide training and awareness to data owners and handlers
It’s important to emphasise that a PIA is not just a checklist and that it should be implemented at all levels of an organisation in order for it to be effective.
It needs to be built into the early phase of any company project lifecycles and be in line with GDPR guidelines to work well. Likewise getting buy-in from senior-levels of the organisation and introducing the relevant training required will ensure its future success.
Remember that compliance not only ensures that you are processing data correctly in your organisation, it also ensures that your employees, specifically those that handle your data – such as your data protection officer – perform their duties to best practice and that your customer data remains protected.
Seamus Galvin is group innovation and research manager at BSI Cybersecurity and Information Resilience.