Legal And Regulatory Dp Challenges For The Financial Services Sector
Why Data Protection Impact Assessment
1. Information & Text either in full or in part has been used from the ICO’s Conducting privacy impact assessments code of
practice Data Protection Act and the Council of the European Union Interinstitutional File: 2012/0011 (COD)
Document Author: Shaab Al-baghdadi 1
Data Protection Impact Assessment / Privacy Impact
Assessment (PIA)
The Need:
Under Article 35 of the General Data Protection Regulation (GDPR)* there exists a requirement to
conduct a PIA should any of the following apply:
(1) A risk to the data subjects right to privacy result from the processing of their personal
data**
(2) Automated decisions are made, analytics are used on the data subject, sensitive data is
processed or large amounts of data are processed***
(3) At present a PIA is best practice as stated by the Information Commoners Office (ICO),
this will change under the GDPR (May 2018) to a requirement under (1),(2) above.
(4) Answering ‘yes’ to any of the questions below is an indication that a PIA should be
undertaken.
Will the processing involve the collection of new information about individuals?
Will the processing compel individuals to provide information about them selves?
Will information about individuals be disclosed to organisations or people who have not
previously had routine access to the information?
Are you using information about individuals for a purpose it is not currently used for, or in a way
it is not currently used?
Does the processing involve you using new technology, which might be perceived as being
privacy intrusive?
For example, the use of biometrics or facial recognition.
Will the processing result in you making decisions or taking action against individuals in ways,
which can have a significant impact on them?
Is the information about individuals of a kind particularly likely to raise privacy concerns or
expectations?
For example, health records, criminal records or other information that people would consider to
be particularly private.
Will the processing require you to contact individuals in ways, which they may find intrusive?
The benefits of a PIA:
A PIA is a tool, which will help organisations to comply with their Data Protection Authority
(DPA) obligations, as well as bringing further benefits.
Carrying out an effective PIA should benefit both the people affected and the organisation
carrying out the processing of personal identifiable information (PII).
The ICO may often ask an organisation whether they have carried out a PIA. At present it is often
the most effective way to demonstrate to the ICO how personal data processing complies with
the DPA.
The first benefit to individuals will be that they can be reassured that the organisations which
use their information have followed best practice. A organisation which has been subject to a PIA
should be less privacy intrusive and therefore less likely to affect individuals in a negative way.
A second benefit to individuals is that a PIA should improve transparency and make it easier for
them to understand how and why their information is being used.
Organisations that conduct effective PIAs should also benefit. The process of conducting the
assessment will improve how they use information which impacts on individual privacy. This
should in turn reduce the likelihood of the organisation failing to meet its legal obligations under
the DPA and of a breach of the legislation occurring.
2. Information & Text either in full or in part has been used from the ICO’s Conducting privacy impact assessments code of
practice Data Protection Act and the Council of the European Union Interinstitutional File: 2012/0011 (COD)
Document Author: Shaab Al-baghdadi 2
Key points:
(1) A PIA is a process, which assists organisations in identifying and minimising their
privacy risks.
(2) The PIA will help to ensure that potential problems are identified at an early stage, when
addressing them will often be simpler and less costly.
(3) Conducting a PIA should benefit organisations by producing better policies and systems
and improving the relationship between organisations and individuals.
(4) Conducting and publicising a PIA will help an organisation to build trust with the people
using their services.
(5) The actions taken during and after the PIA process can improve an organisation’s
understanding of their customers.
(6) There can be financial benefits; identifying a problem early will generally require a
simpler and less costly solution. A PIA can also reduce the ongoing costs of processing by
minimising the amount of information being collected or used where this is possible, and
devising more straightforward processes for staff.
(7) More generally, consistent use of PIAs will increase the awareness of privacy and data
protection issues within an organisation.
(8) As a minimum a GDPR reediness assessment or gap analysis should be undertaken as
soon as possible.
References:
*Protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
• Article 35 Data protection impact assessment
• **(1) Where a type of processing in particular using new technologies, and taking into account the nature, scope,
context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural
persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged
processing operations on the protection of personal data. A single assessment may address a set of similar
processing operations that present similar high risks.
• (2) The controller shall seek the advice of the data protection officer, where designated, when carrying out a data
protection impact assessment.
• (3) ***A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case
of:
– (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is
based on automated processing, including profiling, and on which decisions are based that produce
legal effects concerning the natural person or similarly significantly affect the natural person;
– (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal
data relating to criminal convictions and offences referred to in
Article 10; or
– (c) a systematic monitoring of a publicly accessible area on a large scale.
• (4) The supervisory authority shall establish and make public a list of the kind of processing operations which are
subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory
authority shall communicate those lists to
the Board referred to in Article 68.
• (5) The supervisory authority may also establish and make public a list of the kind of processing operations for
which no data protection impact assessment is required. The supervisory authority shall communicate those lists
to the Board.
• (6) Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall
apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are
related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several
Member States, or may substantially affect the free movement of personal data within the Union.
• (7) The assessment shall contain at least:
• (a) a systematic description of the envisaged processing operations and the purposes of the processing, including,
where applicable, the legitimate interest pursued by the controller;
• (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
• (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
• (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to
ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account
the rights and legitimate interests of data subjects and other persons concerned.