Misunderstanding 5: Privacy Impact Assessment (PIA)

March 23, 2018

For the privacy vocabulary, the term PIA seems to have become indispensable. It is a new term introduced by the GDPR. PIA stands for privacy impact assessment. Officially, the GDPR speaks of a Data Protection Impact Assessment (DPIA). However, PIA and DPIA are used interchangeably, although PIA is the best known abbreviation.

A good way to see whether your organisation already complies with the GDPR is to carry out an audit or quick scan. This is not a PIA. It is a common misconception that a PIA is carried out 'on a company or organisation', as a kind of audit or quick scan. This is not the case. A PIA is an assessment of a specific processing operation.

The GDPR provides that a controller must assess the impact of a proposed processing operation if the proposed processing operation poses an increased risk to the data subject.

What is an increased risk?

This standard of an 'increased risk' is an open standard. This means that the GDPR does not contain an exact description of the cases in which there is or is not an increased risk. In doing so, you should pay attention to the following points:

  • Are new technologies used in the processing?
  • The nature of the processing
  • Scale of the processing (duration, number of different data, number of data subjects)
  • The context of the processing
  • The purpose for the processing

On the basis of these factors, you will therefore have to consider in advance whether the intended processing involves an increased risk for the rights of the data subjects. If this is the case, you must submit the intended processing to a PIA.

The GPDR also mentions a number of cases in which a PIA is always compulsory. This is the case with the following processing operations:

  1. In the case of processing based on automated processing, including profiling, on which decisions are based which have legal effects for the data subject or which may produce comparable effects for the data subject.
  2. One example is the municipality, which automatically determines whether a resident is eligible for rent subsidy on the basis of a number of factors relating to software. The municipality then processes personal data of the resident, the processing takes place automatically with the help of the software. The software then draws a conclusion: whether or not to grant a rent subsidy. This is a decision with legal effect.
  3. In the event of large-scale processing of special personal data or criminal data
  4. In the case of systematic and large-scale monitoring of publicly accessible spaces.

Impact Assessment

Now we come to the IA part of the PIA. What is the impact assessment?

The GDPR prescribes four components that must at least be included in the assessment of the impact of the intended processing:

  1. A systematic description of the intended processing, purpose and legitimate interests served by the controller;
  2. An assessment of the necessity and proportionality of the processing in relation to the purpose;
  3. An assessment of the risks to the rights and freedoms of data subjects;
  4. The envisioned measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GSC, while respecting the rights and legitimate interests of data subjects and other persons concerned.

You consider these points and weigh them against each other. Where the PIA indicates that the processing poses a high risk without there being sufficient measures to protect the data subject, the controller should inform the Data Protection Authority of the intended processing. The Authority will then review the proposed processing. The Authority shall assess whether the processing would infringe this principle and shall provide the controller with written advice on this matter.

Privacy Company can help you with a PIA. Read more about our services, or contact us.