For the privacy vocabulary, the term PIA seems to have become indispensable. It is a new term introduced by the GDPR. PIA stands for privacy impact assessment. Officially, the GDPR speaks of a Data Protection Impact Assessment (DPIA). However, PIA and DPIA are used interchangeably, although PIA is the best known abbreviation.
A good way to see whether your organisation already complies with the GDPR is to carry out an audit or quick scan. This is not a PIA. It is a common misconception that a PIA is carried out 'on a company or organisation', as a kind of audit or quick scan. This is not the case. A PIA is an assessment of a specific processing operation.
The GDPR provides that a controller must assess the impact of a proposed processing operation if the proposed processing operation poses an increased risk to the data subject.
This standard of an 'increased risk' is an open standard. This means that the GDPR does not contain an exact description of the cases in which there is or is not an increased risk. In doing so, you should pay attention to the following points:
On the basis of these factors, you will therefore have to consider in advance whether the intended processing involves an increased risk for the rights of the data subjects. If this is the case, you must submit the intended processing to a PIA.
The GPDR also mentions a number of cases in which a PIA is always compulsory. This is the case with the following processing operations:
Now we come to the IA part of the PIA. What is the impact assessment?
The GDPR prescribes four components that must at least be included in the assessment of the impact of the intended processing:
You consider these points and weigh them against each other. Where the PIA indicates that the processing poses a high risk without there being sufficient measures to protect the data subject, the controller should inform the Data Protection Authority of the intended processing. The Authority will then review the proposed processing. The Authority shall assess whether the processing would infringe this principle and shall provide the controller with written advice on this matter.