Presentation is loading. Please wait.

Presentation is loading. Please wait.

Running a Privacy Impact Assessment (PIA)

Published byMyrtle Hawkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Running a Privacy Impact Assessment (PIA)"— Presentation transcript:

1 Running a Privacy Impact Assessment (PIA)
Presenter: John Ghent

2 The GDPR & PIAs Article 33 – Data Protection Impact Assessment and Prior Consultation “Where a type of processing … result in a high risk for the rights and freedoms of individuals, the controller shall … carry out an assessment of the impact.” The assessment shall contain at least: (a) a systematic description… (b) an assessment of the necessity and proportionality… (c) an assessment of the risks… (d) the measures envisaged to address the risks…

3 The GDPR & PIAs - what’s involved
A data protection impact assessment referred to in paragraph 1 shall in particular be required in the following cases: (a) …based on automated processing, including profiling, and on which decisions are based that produce legal effects… (b) processing on a large scale of special categories of data referred to in Article 9(1)… (c) a systematic monitoring of a publicly accessible area on a large scale.

4 The GDPR & PIAs – Who’s involved.
Article 33 (The Data Protection Commissioner) The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the European Data Protection Board. Article 37 (Data Protection Officer) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 33;

5 What is a Privacy Impact Assessment (PIA)
A process specifically designed to identify and address Data Protection risks within a new or existing project. The provenance of the data ; What processing is done on the data; Where the data is sent and to whom; When is the data deleted or anonymised.

6 Who should be involved in a PIA
Operations IT DPO Compliance Engagement can vary depending on the customer and the complexity of processing

7 PIA - a six step process Stakeholders, Entities & Systems
Identify Processes Work flow analysis Data Protection Assessment Risk Analysis Implementation

8 Step 1 Stakeholders, Systems and Entities
A complete list of stakeholders, entities and systems. Anyone or anything that comes into contact with data should be considered in this category. This could be A job role, A person, A third party A computer system, etc…

9 Step 2 Identify Processes
A complete list of data management processes. A process is any event that is required to complete a business function. Focus on processes that involve personal and sensitive personal data

10 Step 3 Workflow Analysis
For processes identified in Step 2, we workflow each relevant process into appropriate swim lanes. These swim lanes identify What data is processed What systems have visibility of this data Where this data sent

11 Step 3 Workflow Analysis (Deliberately Blurred)

12 Step 4 Data Protection Assessment
For each process identified in Step 3, we categorise the processing according to current and upcoming Data Protection legislation, areas of consideration and evaluation of potential risk. The numbers in the sub process above indicate Rules 1, 2 and 6 are relevant for consideration by the DPO when assessing this particular process.

13 Step 5 Risk Analysis A Risk Register is created in parallel with Step 4 to measure risk against likelihood and severity. Each risk is categorised into Ref Number Risk Date Raised Likelihood Impact Score Action Status

14 Step 5 Score Likelihood Impact 1
Never happened and unlikely to ever happen Low to no DP related impact (brand, operational, commercial) 2 Has happened but very rarely Minor Impact, easily resolved 3 Happens from time to time Significant impact to company brand and could trigger a user complaint or ODPC investigation. 4 Happens frequently but not continuously May trigger a breach notification process and damaging to company brand, could result in penalties and likely an investigation 5 Happening continuously Should trigger a breach notification process and severely damaging to company brand. Will trigger an investigation from the ODPC and likely fines.

15 Step 5 – Point in time score card

16 Step 6 Implementation An agreed implementation plan is formalised into the following categories Ref Number Problem Resolution Agreed Action Complete Old Score New Likelihood New Impact New Score

17 Overview & recap Stakeholders, Entities & Systems Identify Processes
Work flow analysis Data Protection Assessment Risk Analysis Implementation

Download ppt "Running a Privacy Impact Assessment (PIA)"

Similar presentations

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Data Protection Overview

Data Protection Overview
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Guidance for AONB Partnership Members Welsh Member Training January 26/27 2015.

Guidance for AONB Partnership Members Welsh Member Training January 26/
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Business Challenges in the evolution of HOME AUTOMATION (IoT)

Business Challenges in the evolution of HOME AUTOMATION (IoT)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
HIPSSA Project PRESENTATION ON SADC DATA PROTECTION MODEL LAW

HIPSSA Project PRESENTATION ON SADC DATA PROTECTION MODEL LAW
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.

WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.
Privacy Impact Assessments (PIAs)

Privacy Impact Assessments (PIAs)
GDPR Awareness and Training Workshop

GDPR Awareness and Training Workshop
General Data Protection Regulation

General Data Protection Regulation
Running a Privacy Impact Assessment (PIA)

Running a Privacy Impact Assessment (PIA)
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
Service-centric policies – Update (NA3.2)

Service-centric policies – Update (NA3.2)
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017

Similar presentations

Ads by Google