PIA is a Process Designing for Privacy Leonardo H. Iwaya CC-BY-4.0
What is Data Protection Impact Assesment? • ” Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. ” – Art. 35 GDPR.
What is Privacy Impact Assesment? • ”A privacy impact assessment (PIA) is an instrument for assessing the potential impacts on privacy of a process, information system, programme, software module, device or other initiative which processes personally identifiable information (PII) and, in consultation with stakeholders , for taking actions as necessarily in order to treat privacy risk.” – ISO/IEC 29134:2017.
Who benefits from PIAs? They do: • Your customers and general public – because you are looking out for their privacy interests • Your organisation – because you demonstrate to your employees and contractors that you take privacy seriously and expect them to the same • The regulators – because when you carry out a proper PIA you clarify your project information dealings, making their work easier
Who benefits from PIAs? Not sure yet? • A PIA helps to reduce costs in management time, legal expenses and potential negative media (i.e., PR also likes it) • A PIA helps to demonstrate compliance as an element of accountability • A PIA enhances informed decision-making and exposes internal communication gaps or hidden assumptions • A PIA helps to avoid privacy pitfalls of a project • And, well... it might be mandatory...
How do you do PIA? • ”[PIA] is a process which should begin at the earliest possible stages, when there are still opportunities to influence the outcome of a project. It is a process that should continue until and even after the project has been deployed.” – David Wright The state of art in PIA (2012)
How do you do PIA? “While each project is 1. Conduct a threshold 2. Plan the PIA 3. Describe the project assessment Prepare a ‘big picture’ description Consider how detailed the PIA different, a PIA should Work out the extent to which the will be, who will conduct it, who of what the project will deliver generally include the project will benefit from a PIA. needs to be consulted, when it and what it will achieve, why it is Generally, if personal information needs to be delivered, and needed, timeframes, and any following steps:” is involved in the project, a PIA whether the PIA Report will be links to existing projects. This will will be necessary. published and if so, in what provide context for the PIA – OIC Queensland format. process. Overview of the Privacy Impact 4. Identify and consult with 5. Map the personal 6. Identify the privacy issues Assessment process (2017) stakeholders information flow Compare the project’s personal Identify who has an interest in or Describe how personal information handling practices is affected by the project, the information will be collected, against the privacy obligations level of consultation warranted by stored, used and disclosed in the set out in the [GDPR] to identify the project and how the project from beginning to end. any privacy issues. consultation will be conducted. 7. Identify options to address 8. Prepare the PIA Report 9. Action the agency's the privacy issues response to the PIA Report Provide a report that sets out the Consider what options will information gathered throughout Incorporate the tasks necessary address the privacy issues. If the PIA and its findings to the to action the agency's response there are multiple options, relevant governance body for to the PIA Report into the wider evaluate the cost, risk and approval. project management process. benefit of each option to identify the most appropriate option.
References • EU GDPR, 2017. Article 35 EU GDPR ”Data protection impact assessment” . (http://www.privacy-regulation.eu/en/35.htm) • ISO/IEC 29134, 2017. Information technology – Security techniques – Guidelines for privacy impact assessment . (https://www.iso.org/standard/62289.html) • Wright, D., 2012. The state of the art in privacy impact assessment . Computer Law & Security Review , 28(1), pp.54-61. • Clarke, R., 2009. Privacy impact assessment: Its origins and development. Computer law & security review , 25(2), pp.123-135. • OIC, 2017. Overview of the Privacy Impact Assessment (PIA) process . (https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy- Icons and Images Graphiqa Stock ( https://www.iconfinder.com/graphiqa ) principles/privacy-compliance/overview-privacy-impact-assessment-process) Vectto ( https://www.iconfinder.com/vectto ) Alla Afanasenko ( https://www.iconfinder.com/alla.afanasenko )
Recommend
More recommend