Running a Privacy Impact Assessment (PIA) Presenter: John Ghent

The GDPR & PIAs Article 33 – Data Protection Impact Assessment and Prior Consultation “Where a type of processing … result in a high risk for the rights and freedoms of individuals, the controller shall … carry out an assessment of the impact.” The assessment shall contain at least: (a) a systematic description… (b) an assessment of the necessity and proportionality… (c) an assessment of the risks… (d) the measures envisaged to address the risks…

The GDPR & PIAs - what’s involved A data protection impact assessment referred to in paragraph 1 shall in particular be required in the following cases: (a) …based on automated processing, including profiling, and on which decisions are based that produce legal effects… (b) processing on a large scale of special categories of data referred to in Article 9(1)… (c) a systematic monitoring of a publicly accessible area on a large scale.

The GDPR & PIAs – Who’s involved. Article 33 (The Data Protection Commissioner) The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the European Data Protection Board. Article 37 (Data Protection Officer) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 33;

What is a Privacy Impact Assessment (PIA) A process specifically designed to identify and address Data Protection risks within a new or existing project. The provenance of the data ; What processing is done on the data; Where the data is sent and to whom; When is the data deleted or anonymised.

Who should be involved in a PIA Operations IT DPO Compliance Engagement can vary depending on the customer and the complexity of processing

PIA - a six step process Stakeholders, Entities & Systems Identify Processes Work flow analysis Data Protection Assessment Risk Analysis Implementation

Step 1 Stakeholders, Systems and Entities A complete list of stakeholders, entities and systems. Anyone or anything that comes into contact with data should be considered in this category. This could be A job role, A person, A third party A computer system, etc…

Step 2 Identify Processes A complete list of data management processes. A process is any event that is required to complete a business function. Focus on processes that involve personal and sensitive personal data

Step 3 Workflow Analysis For processes identified in Step 2, we workflow each relevant process into appropriate swim lanes. These swim lanes identify What data is processed What systems have visibility of this data Where this data sent

Step 3 Workflow Analysis (Deliberately Blurred)

Step 4 Data Protection Assessment For each process identified in Step 3, we categorise the processing according to current and upcoming Data Protection legislation, areas of consideration and evaluation of potential risk. The numbers in the sub process above indicate Rules 1, 2 and 6 are relevant for consideration by the DPO when assessing this particular process.

Step 5 Risk Analysis A Risk Register is created in parallel with Step 4 to measure risk against likelihood and severity. Each risk is categorised into Ref Number Risk Date Raised Likelihood Impact Score Action Status

Step 5 Score Likelihood Impact 1 Never happened and unlikely to ever happen Low to no DP related impact (brand, operational, commercial) 2 Has happened but very rarely Minor Impact, easily resolved 3 Happens from time to time Significant impact to company brand and could trigger a user complaint or ODPC investigation. 4 Happens frequently but not continuously May trigger a breach notification process and damaging to company brand, could result in penalties and likely an investigation 5 Happening continuously Should trigger a breach notification process and severely damaging to company brand. Will trigger an investigation from the ODPC and likely fines.

Step 5 – Point in time score card

Step 6 Implementation An agreed implementation plan is formalised into the following categories Ref Number Problem Resolution Agreed Action Complete Old Score New Likelihood New Impact New Score

Overview & recap Stakeholders, Entities & Systems Identify Processes Work flow analysis Data Protection Assessment Risk Analysis Implementation