GDPR Data Privacy Impact Assessments (DPIAs)
It is recommended that you download and study the full text provided by the ICO.
This document has been developed to relate the ICO recommendations to implementation on GDPR Software, it can sit along side the Assessment module to give a quick ready reference to the ICO guidelines on PIAs. Use the Options menu to open up this guide alongside your Assessment.
PIA or DPIA? A PIA (Privacy Impact Assessment) focuses on all aspects of privacy (physical and informational) wheras a DPIA (Data Privacy Impact Assessment) just focuses on data privacy. The ICO who publish their guide "Conducting privacy impact assessments code of practice" (found here) make it clear that their PIA code "is concerned primarily with informational privacy" and consequently following their code for PIAs may be concidered consistent with the DPIAs requirements.
The EU Commission has created a Article 29 Data Protection Working Party who have also published Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 (found here) in their introduction they state the term "Privacy Impact Assessment" (PIA) is often used in other contexts to refer to the same concept. consequently the concept of the ICO PIA code can be concidered appropriate for DPIAs.
The EU Commissions Article 29 Data Protection Working Party who have also published Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 (found here) try to help identify when a DPIA is required. They define 10 basic rules based on how you process data (see the full document for more information);
Processing operations which meet at least two of these criteria will require a DPIA.
| Examples of processing | Possible Relevant criteria | DPIA required? |
| A hospital processing its patients´ genetic and health data (hospital information system). | Sensitive data Data concerning vulnerable data subjects | Yes |
| The use of a camera system to monitor driving behavior on highways. The controller envisages to use an intelligent video analysis system to single out cars and automatically recognize license plates. | Systematic monitoring Innovative use or applying technological or organisational solutions | Yes |
| A company monitoring its employees´ activities, including the monitoring of the employees´ work station, internet activity, etc. | Systematic monitoring Data concerning vulnerable data subjects | Yes |
| The gathering of public social media profiles data to be used by private companies generating profiles for contact directories. | Evaluation or scoring Data processed on a large scale | Yes |
| An online magazine using a mailing list to send a generic daily digest to its subscribers. | (none) | Not necessarily |
| An e-commerce website displaying adverts for vintage car parts involving limited profiling based on past purchases behaviour on certain parts of its website. | Evaluation or scoring, but not systematic or extensive | Not necessarily |
Privacy impact assessment is a process which helps an organisation to identify and reduce the privacy risks of a project. An effective PIA will be used throughout the development and implementation of a project, using existing project management processes.A PIA enables an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved.
The ICO uses the term project in a broad and flexible way it means any plan or proposal in an organisation, and does not need to meet an organisation´s formal or technical definition of a project, for example set out in a project management methodology.
PIAs are often applied to new projects, because this allows greater scope for influencing how the project will be implemented. A PIA can also be useful when an organisation is planning changes to an existing system. A PIA can be used to review an existing system, but the organisation needs to ensure that there is a realistic opportunity for the process to implement necessary changes to the system.
The purpose of the PIA is to ensure that privacy risks are minimised while allowing the aims of the project to be met whenever possible. Risks can be identified and addressed at an early stage by analysing how the proposed uses of personal information nd technology will work in practice. This analysis can be tested by consulting with people who will be working on, or affected by, the project.
The PIA process is a flexible one that can be integrated with an organisation´s existing approach to managing projects. The time and resources dedicated to a PIA should be scaled to fit the nature of the project.
A PIA should begin early in the life of a project, but can run alongside the project development process
A PIA should incorporate the following steps:
The need for a PIA can be identified as part of an organisation´s usual project management process or by using the screening questions below.
These questions are intended to help organisations decide whether a PIA is necessary. Answering yes to any of these questions is an indication that a PIA would be a useful exercise. You can expand on your answers as the project develops if you need to.
You can adapt these questions to develop a screening method which fits more closely with the types of project you are likely to assess.
Once you have decided which project/process needs a PIA, you will create a new Assessment. There is some sample data available to demonstrate this process, using the main menu navigate to Dashboard - Stage 10: New Organisational Practices, Section 3: Conduct DPIAs For New Systems. Select the Assessments tab and the button Load Sample Data. Edit the assessment and you will see Assesment Item 1: Consultation - Privacy impact assessment screening questions.
To create a new set of questions simple copy and paste form the text below;
Will the project involve the collection of new information about individuals? YES / NO
Will the project compel individuals to provide information about themselves?
YES / NO
Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information? YES / NO
Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? YES / NO
Does the project involve you using new technology which might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition. YES / NO
Will the project result in you making decisions or taking action against individuals in ways which can have a significant impact on them? YES / NO
Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be particularly private. YES / NO
Answering yes to any of these questions is an indication that a PIA would be a useful exercise. You can expand on your answers as the project develops if you need to.
Describe the information flows of the project. Explain what information is used, what it is used for, who it is obtained from and disclosed to, who will have access, and any other necessary information
As part of the PIA process organisations should describe how information is collected, stored, used and deleted. They should explain what information is used, what it is used for and who will have access to it. This step is a key part of any PIA process. Athorough assessment of privacy risks is only possible if an organisation fully understands how information is being used in a project. An incomplete understanding of how information is used can be a significant privacy risk - for example; data might be used for unfair purposes, or disclosed inappropriately.
This part of the PIA process can be integrated with any similar exercises which would already be done. Many organisations already conduct information audits, develop information maps and user journeys, and make use of information asset registers. If an organisation has already produced a project proposal or similar document this can be useful for understanding how personal data might be used.
GDPR Software has two features that you can use to decribe the information flow the Register To Process Data and a Data Assessment. Which one you choose will depend on the project or process on which you are conducting your DPIA.
Register To Process Data The Register allows you to create an entry for that process and map the data to the type of processing, the data subjects and the data recipients. You can also describe any safeguards and security measures that might be in place. There is some sample data available to demonstrate this process, using the main menu navigate to Registers - Processing of Data. Select the button Load Sample Data, you will see , edit this to see how the infomation flow has been documented.
Sample - Processing of orders by the warehouse:
Type of Data: Packing note or Order will contain EXTERNAL Identifying data.
Type of Data Processing: Accounts and records.
Data Subject: Customers.
Recipients of the Data: Suppliers and the Data Subject (Customer).
An Assessment The Assessment module allows you to create a number of assessment items in a particular order to describe information flow. At each step you can record the analysis. There is some sample data available to demonstrate this process, using the main menu navigate to Dashboard - Stage 10: New Organisational Practices, Section 3: Conduct DPIAs For New Systems. Select the Assessments tab and the button Load Sample Data.
Edit the assessment and you will see Assesment Items that form the basis for the analysis of the information flow.
What type of data is being collected
Who is collecting and using that data?
Where is that data being collected, used and then where does it go?
When is data being collected and then used?
How is data collected and then used?
Why is data being collected and then used?
NOTE: Remember to use the Action Tab within the frame work to allocate any actions to assist in the process and to provide evidence of the whole process.
Some will be risks to individuals - for example damage caused by inaccurate data or a security breach, or upset caused by an unnecessary intrusion on privacy.
Some risks will be to the organisation - for example damage to reputation, or the financial costs or a data breach.
Legal compliance risks include the DPA, PECR, and the Human Rights Act.
At this stage, organisations should assess the likely privacy issues associated with the project.A key principle of PIA is that the process is a form of risk management.
When conducting a PIA an organisation is systematically considering how their project will affect individuals´ privacy.
There are various ways in which a project can impact on privacy or can introduce a risk to privacy. Privacy risks to individuals usually have associated compliance risks and risks to the organisation. For example a project which is seen as intrusive or insecure by the public also increases the risk of fines, reputational damage, loss of business and failure of the project.
Risks to individuals can be categorised in different ways and it is important that all types of risk are considered – these range from risks to physical safety of individuals, material impacts (such as financial loss) or moral (for example, distress caused).
Possible risks include:
Risks to individuals.
Corporate risks
Compliance risks
See below for examples.
GDPR Software uses the Assessment module to allow you to analyse risk. You are trying to look at a Privacy Issue and evaluate the Risk to Individuals and the associated Compliance Risk and/or the associated Organisation/Corporate Risk.
An example would be the risk that we cannot remove all customer data in a timely manner.
Privacy Issue Article 17 Right to erasure (right to be forgotten)
Risk to individual Inaccurate or defamatory data is intrusive to the customer.
Compliance Risk Non compiance with GDPR/DPA.
Corporate Risk Non-compliance with the GDPR/DPA or other legislation can lead to sanctions, fines and reputational damage.
In the assessment module you create new asessment items within your DPIA for each idenfied potential privacy issue. There is some sample data available to demonstrate this process, using the main menu navigate to Dashboard - Stage 10: New Organisational Practices, Section 3: Conduct DPIAs For New Systems. Select the Assessments tab and the button Load Sample Data.
Edit the assessment and you will see Assesment Items of type Risk Assessment that form the basis for the risk analysis.
Assessment Item Type: Risk Assessment.
Title: Customers cannot get all of their data removed.
Details: Privacy (Article 17) Right to erasure - If a customer requests removal of all data can we do it quickly?.
Likelihood: Unlikely.
Severity: Moderate.
Risk Factor: 3.
Mitigation: The computer systems are all linked to a common database, there is only one instance of customer data.
NOTE: Remember to use the Action Tab within the frame work to allocate any actions to assist in the process and to provide evidence of the whole process.
Explain how you could address each risk. Some might be eliminated altogether. Other risks might be reduced. Most projects will require you to accept some level of risk, and will have some impact on privacy.
Evaluate the likely costs and benefits of each approach. Think about the available resources, and the need to deliver a project which is still effective.
At this stage organisations should identify what action could be taken to address risks to privacy. It is important to remember that the aim of a PIA is not to completely eliminate the impact on privacy. The purpose of the PIA is to reduce the impact to an acceptable level while still allowing a useful project to be implemented. The process of identifying and implementing changes should be integrated with the wider project development process.
When an organisation is deciding on privacy solutions it needs to consider whether the impact on privacy is proportionate to the aims of the project. Privacy solutions are steps which can be taken to reduce the privacy impact. The aim of this stage of the process is to balance the project´s outcomes with the impact on individuals.
Organisations should record whether each privacy solution that has been identified results in the privacy risks being eliminated, reduced or simply accepted. There are many different steps which organisations can take to reduce a privacy risk. Some of the more likely measures include:
Using systems which allow individuals to access their information more easily and make it simpler to respond to subject access requests.
Organisations will need to assess the costs and benefits of possible privacy solutions. Some costs will be financial, for example an organisation might need to purchase additional software to give greater control over data access and retention. The costs can be balanced against the benefits, for example the increased assurance against a data breach, and the reduced risk of regulatory action and reputational damage.
GDPR Software uses the Assessment module to allow you to record identifying and evaluating privacy solutions. You are trying to look at risk items (starting with the higher risk items first), consult and come up with a solution. If the solution was implemented would the risk be reduced or eliminated? Finally you need to evaluate the impact on the organisation in delivering the solution, factors such as cost, time all will effect the decision.
There is some sample data available to demonstrate this process, using the main menu navigate to Dashboard - Stage 10: New Organisational Practices, Section 3: Conduct DPIAs For New Systems. Select the Assessments tab and the button Load Sample Data. Edit the assessment and you will see Assesment Items of type Consultation that form the basis for the analysis.
Existing Risk: On-line web site suffers cyber attack.
Severity: Critical.
Likelihood: Occasional.
Risk Factor: 12.
Consultation: Reduce the risk of cyber attack to our on-line systems.
Details: We rely on our web hosting suppliers to keep our systems running and protect them from cyber attack. Consulting with a security expert they recommend paying for a specialist Penetration Testing organisation to test our systems monthly.
Expected Severity: Critical.
Expected Likelihood: Seldom.
Expected Risk Factor: 8.
NOTE: Remember to use the Action Tab within the frame work to allocate any actions to assist in the process and to provide evidence of the whole process.
Make sure that the privacy risks have been signed-off at an appropriate level. This can be done as part of the wider project approval.
A PIA report should summarise the process, and the steps taken to reduce the risks to privacy. It should also record the decisions taken to eliminate, mitigate, or accept the identified risks.
Publishing a PIA report will improve transparency and accountability, and lets individuals learn more about how your project affects them.
Conducting a PIA is primarily about the process of identifying and reducing risks. Those are the stages which will provide assurances that an organisation is using information in a way which is appropriate for their objectives and safer for individuals. However, it is also important to keep a record of the process. This will ensurethat the necessary measures are implemented. It can also be used to assure the public, the ICO, and other stakeholders that the project has been thoroughly assessed.
There is no requirement to produce a PIA report but it is good practice to do so. The report should include an overview of the project, explaining why it was undertaken and how it will impact on privacy. It can include or reference the material which was produced during the PIA, for example the description of data flows and the privacy risk register. The report should describe how the privacy risks were identified and how they will be addressed.
A PIA does not necessarily require a formal signing-off process, but this will depend on the nature of the project. If an organisation is working on large-scale project with a higher level of risk, it would be good practice to ensure that the PIA has been approved at asenior level. For smaller projects, it can be appropriate for the project leader to accept the privacy risks. A signing-off can also help to ensure that the necessary actions are followed up.
GDPR Software uses the Assessment module to allow you to record signing off and recording the PIA outcomes.
There is some sample data available to demonstrate this process, using the main menu navigate to Dashboard - Stage 10: New Organisational Practices, Section 3: Conduct DPIAs For New Systems. Select the Assessments tab and the button Load Sample Data. Edit the assessment and you will see Assesment Items of type Consultation that form the basis for the analysis.
Consultation: Reduce the risk of cyber attack to our on-line systems.
Details: We rely on our web hosting suppliers to keep our systems running and protect them from cyber attack. Consulting with a security expert they recommend paying for a specialist Penetration Testing organisation to test our systems monthly.
Expected Severity: Critical.
Expected Likelihood: Seldom.
Expected Risk Factor: 8.
Mitigation: Monthly PEN testing by 3rd Party - Cost $pound;700/month, Internal OWASP ZAP testing 2hrs/month approx $pound;180/month staff costs.
Notes: Cost spends approved by Joe Smith 21 Feb.
NOTE: Remember to use the Action Tab within the frame work to allocate any actions to assist in the process and to provide evidence of the whole process.
The PIA findings and actions should be integrated with the project plan. It might be necessary to return to the PIA at various stages of the project´s development and implementation. Large projects are more likely to benefit from a more formal review process.
A PIA might generate actions which will continue after the assessment has finished, so you should ensure that these are monitored.
Record what you can learn from the PIA for future projects.
The results of the PIA should be fed back into the wider project management process. This will usually need to take place while the project is still being developed.
Most of the work required by a PIA will take place during the planning and early implementation of a project. However organisations should also take care to ensure that the steps taken as a result of the PIA have been properly implemented and are having the desired effect.
If the project aims develop or change during the project life cycle the organisation may need to revisit the screening questions to ensure the PIA is still appropriate. This might be especially important with particular project management methodologies which may not have a fixed set of requirements at the outset.
As with other aspects of the PIA process, a review of the privacy outcomes can be built into existing procedures. If an organisation would review the general implementation of a new project after a certain period, it should be possible to include a process for checking the work arising from the PIA as well. The PIA process should be developed to integrate with an organisation´s own project management processes and most project management methodologies include a post project review.
Within GDPR Software use the Action process to feed the results back into your framework, after each PIA use the results of Step 5 above to action implementation of the outcomes and also action to review the implementation. Note the time scales for the actions will be different for each PIA and outcome.