3.2 What is the purpose of a Privacy Impact Assessment?
Now that you have taken a closer look at your data processing practices, read through the following slides, make a small quiz and then continue to the next exercise.
Slide 1: What is a Privacy Impact Assessment
A Privacy Impact Assessment (PIA) is a process which assists teams, departments and organisations who are implementing a project that processes data to identify and minimise privacy risks. Conducting a PIA involves working with people within the organisation, with partner organisations and with the people affected to identify and reduce privacy risks. The PIA model we use in this course consists of 6 steps:
Slide 2: When should you do a Privacy Impact Assessment?
In some countries, conducting a PIA is required by law in some cases. For example, in Europe, a PIA (here called Data Protection Impact Assessment) is required whenever the processing of data is likely to result in a high risk to the rights and freedoms of individuals. Here, a Data Protection Impact Assessment is required at least in the following cases:
- A systematic and extensive evaluation of the personal aspects of an individual, including profiling;
- Processing of sensitive data on a large scale;
- Systematic monitoring of public areas on a large scale.
Slide 3: What is the point of a Privacy Impact Assessment?
In the case of this course we use the Privacy Impact Assessment not as a measure for legal compliance, but rather as a voluntary framework that supports you to systematically review and assess your data practices.
The PIA will help to ensure that potential problems are identified at an early stage, when addressing them will often be simpler and less costly. In fact, a PIA can help you to make your project better and more cost-efficient, because gaining a detailed understanding of how personal information is managed is likely to uncover areas for process improvement.
Slide 4: More than just ticking a box.
The aim of a PIA is to identify potential risks to the processing of personal data. Risks to privacy and individuals freedoms, including the potential risk to stigmatization, discrimination and other social or economic disadvantage. ( See more on risks in session 2 )
To that end, a Privacy Impact Assessment can be done at any stage of a project. However, it is recommended to conduct a PIA at the designing stage, once an overall idea of the project and its objectives exists.
Who should do it? It is recommended that the PIA is conducted by the project management team with support from the data protection and data management experts.
Slide 5: How to do a Privacy Impact Assessment well
The U.K.’s Data Commission states that a PIA must:
- describe the nature, scope, context and purposes of the processing
- assess necessity, proportionality and compliance measures
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
When in doubt turn your organization’s data protection officer and relevant experts.
Note that in some countries the processing of Sensitive Personal Identifiable Data or the identification of a high risk to individuals in a PIA might require you to contact your Data Protection Office prior to the start of the project.