If you are not doing privacy impact assessments (PIAs) – also known as data protection impact assessments (DPIAs) in EU law – there is no time like the present to get started. PIAs are a systematic process to assess privacy risks to individuals in the collection, use, and disclosure of their personal data. Specifically, data controllers must conduct PIAs where privacy breach risks are high so that the risks to data subjects are minimized.
What is the purpose of privacy impact assessments?
The GDPR introduces DPIAs as a means to identify high risks to the privacy rights of individuals when processing their personal data. When these risks are identified, (which we’ll explore in more detail later in this blog series), the GDPR expects that an organization formulates measures to address these risks. Those measures may take the form of technical controls such as encryption, pseudonymization, or anonymization of data.
Impact assessments, like security assessments, provide a good foundation to assess the potential and ongoing risk of systems and data flows within them. Privacy and data security teams can then recommend and monitor appropriate controls.
When should you conduct privacy impact assessments?
The impact assessment should happen before you start processing personal data. It should focus on topics like the systematic description of the processing activity and the necessity and proportionality of the operations. Ideally, impact assessments should always be done any time that you will be working with data that creates high risk to individuals. In reality, the PIA process may be used to help determine whether or not this is the case. So, in practice it’s a very good idea to make them a standing operating procedure for your privacy by design programs.
How can you use privacy impact assessments?
Beyond checking a box toward regulatory compliance, PIAs allow your privacy program managers and data protection officers to develop a service level agreement (SLA) with their colleagues in IT and the business. PIAs can be incorporated as part of the standard process of concept planning, development, test and deployment, and ongoing monitoring. They also allow privacy teams to implement privacy by design and by default and a risk-based approach to data protection – which are both key components of the GDPR.
With automation, a good PIA process can also scale the impact of what are typically small privacy organizations to match their larger counterparts in IT, security, and the business. Privacy can then be a core part of standing operating procedures instead of seen as a hurdle to deployment.
AvePoint Privacy Impact Assessment (APIA) System
AvePoint and the International Association of Privacy Professionals (IAPP) have teamed up to design and build the industry’s first no-cost, fully-automated system for conducting privacy impact assessments. The AvePoint Privacy Impact Assessment (APIA) System, used by more than 3,000 global organizations, automates the process of evaluating, assessing, and reporting on the privacy implications of enterprise IT systems and processes. APIA:
- Is 100% free, with no limitations or other requirements for use
- Automates and centralizes what has traditionally been a manual, decentralized, tedious process
- Helps organizations comply with privacy regulations by analyzing how information is collected and managed
- Reports on assessments for stakeholder review
- Involves compliance and privacy from the beginning of a project, not at the end
- Extends assessment capabilities to include security, risk, and other vulnerabilities and processes
To learn more about APIA visit IAPP’s website.
For more information about how to prepare for GDPR requirements, sign up for our guide.