To PIA or not to PIA
February 06, 2015
The EU Data Protection Regulation, when implemented, will require organisations which process personal information to conduct privacy impact assessments (PIA). The UK regulator, the Information Commissioner (ICO), is clearly of the view that a PIA should be central to any privacy risk assessment.
Organisations that start new projects without a PIA really ought to think again – it will be a requirement in the near future and arguably the regulator views it as such now.
PIAs are a tool which can help organisations to identify privacy risks to individuals in advance and deal with them effectively at the beginning of any project which involves the processing of personal information. They are also useful when changes to existing systems are planned.
Addressing potential problems early will help to achieve a more professional compliance regime and will ultimately reduce costs. A PIA will reduce organisational risk and is viewed as good practice by the ICO. Without a PIA, data protection risk and the potential for a data breach will be increased. In the event of a breach the ICO will view the lack of a PIA as an aggravating factor, especially where he forms the view that a PIA would have identified the problem before the incident occured.
The ICO has published a code of practice to assist organisations when carrying out PIAs. At a high level, the ICO recommends that organisations should primarily identify the information flows and then map out the privacy risks associated with them. Once the information flows and privacy risks have been identified, the organisation should attempt to identify and evaluate the privacy solutions.
Mapping out information flows is key not just to a PIA but to any privacy assessment related to the processing of personal information. Whilst PIAs are normally used at the beginning of a project, the methodology can be used more generally. As part of the PIA process organisations should describe how personal information is collected, stored, used and deleted. They should also identify what information is used, the purpose for which it is used and who will have access to it.
The ICO is of the view that organisations have to fully understand how information is being used to fully understand privacy risks associated with the processing. If that understanding is incomplete this may lead to significant privacy risks.
With new projects a PIA should be considered not just necessary but a prerequisite. Organisations which process personal information and have not completed a PIA should consider using the PIA methodology to assess privacy risks with their current processing of personal information – at the very least map the information flows and identify current privacy risks. It may save money and reputation in the not so long term.