It’s always been wise to conduct a Privacy Impact Assessment (PIA) before any overhaul of your data process; but with the GDPR looming, assessments are about to become
essential. Starting May 25th 2018, conducting data assessments will become an enforced part of any compliance program. Under the GDPR, the more in-depth Data Protection Impact Assessment (DPIA) will be required by businesses to help identify threats to the privacy rights of EU residents.
Why conduct DPIAs?
DPIAs are simply a means to identify data risks to the privacy rights when processing personal data. The GDPR expects businesses to build an effective response to risks that may be revealed during a DPIA. Those responses will often include adding deeper technical controls such as the encryption, pseudonymization, and anonymization of personal data. Formulating an on-going effort to review data procedures will help businesses build a solid foundation for assessing the risk of data systems and securing the sensitive information they hold.
When should DPIAs occur?
An impact assessment should always take place whenever developing a new way to process personal data. However, with an increased purpose put on data protection and responsibility (especially in the EU), it’s wise to make sure it’s a permanent operating procedure. To get the most value from assessments, try to concentrate the focus of assessments on things like the proportionality of operations and the systematic description of processing activities.
Can I use DPIAs for more than data?
While the driving force of conducting DPIAs is GDPR compliance, these assessments also allow for service level agreements (SLAs) to evolve between data protection officers and other teams within an organization. This will help the fundamentals of data protection filter through an entire organization; positively affecting things like development, test and deployment, and ongoing monitoring. A comprehensive DPIA plan will also help privacy teams develop an effective privacy by design approach, and a risk-based overview of data protection; both of which are essential elements of GDPR compliance. A well planned and implemented DPIA process should eventually become a core part of all operating procedures and should not be seen as an extra task to tack on at the end.
The privacy by design approach
One of the main goals of the GDPR is to make organizations develop a system of “privacy by design” with the aim to consistently promote data compliance from the start of any initiative. This approach is essential for reducing privacy risks and building trust – both from within an organization and in the eyes of the law. The UK Government Data Programme has even built a Data Science Ethical Framework to help organizations decipher the benefits and risks of using personal data when developing such a policy. Implementing projects with privacy at the forefront will help:
- Address issues early, making them easier to fix and a lot less costly.
- Increase privacy and data awareness across an entire organisation.
- Meet legal obligations including GDPR
Whatever approach you take to comply with GDPR, the key to success, and of course compliance, is planning, and planning early. Taking a privacy by design approach and exploring the potential of DPIAs (beyond just a compliance regulation) will benefit any organization – from the inside out.