SlideShare a Scribd company logo

Why Data Protection Impact Assessment

S
shaabalbaghdadi
1 of 2
Download to read offline
Information & Text either in full or in part has been used from the ICO’s Conducting privacy impact assessments code of practice Data Protection Act and the Council of the European Union Interinstitutional File: 2012/0011 (COD) Document Author: Shaab Al-baghdadi 1 Data Protection Impact Assessment / Privacy Impact Assessment (PIA) The Need: Under Article 35 of the General Data Protection Regulation (GDPR)* there exists a requirement to conduct a PIA should any of the following apply: (1) A risk to the data subjects right to privacy result from the processing of their personal data** (2) Automated decisions are made, analytics are used on the data subject, sensitive data is processed or large amounts of data are processed*** (3) At present a PIA is best practice as stated by the Information Commoners Office (ICO), this will change under the GDPR (May 2018) to a requirement under (1),(2) above. (4) Answering ‘yes’ to any of the questions below is an indication that a PIA should be undertaken. Will the processing involve the collection of new information about individuals? Will the processing compel individuals to provide information about them selves? Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information? Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? Does the processing involve you using new technology, which might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition. Will the processing result in you making decisions or taking action against individuals in ways, which can have a significant impact on them? Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be particularly private. Will the processing require you to contact individuals in ways, which they may find intrusive? The benefits of a PIA: A PIA is a tool, which will help organisations to comply with their Data Protection Authority (DPA) obligations, as well as bringing further benefits. Carrying out an effective PIA should benefit both the people affected and the organisation carrying out the processing of personal identifiable information (PII). The ICO may often ask an organisation whether they have carried out a PIA. At present it is often the most effective way to demonstrate to the ICO how personal data processing complies with the DPA. The first benefit to individuals will be that they can be reassured that the organisations which use their information have followed best practice. A organisation which has been subject to a PIA should be less privacy intrusive and therefore less likely to affect individuals in a negative way. A second benefit to individuals is that a PIA should improve transparency and make it easier for them to understand how and why their information is being used. Organisations that conduct effective PIAs should also benefit. The process of conducting the assessment will improve how they use information which impacts on individual privacy. This should in turn reduce the likelihood of the organisation failing to meet its legal obligations under the DPA and of a breach of the legislation occurring.
Information & Text either in full or in part has been used from the ICO’s Conducting privacy impact assessments code of practice Data Protection Act and the Council of the European Union Interinstitutional File: 2012/0011 (COD) Document Author: Shaab Al-baghdadi 2 Key points: (1) A PIA is a process, which assists organisations in identifying and minimising their privacy risks. (2) The PIA will help to ensure that potential problems are identified at an early stage, when addressing them will often be simpler and less costly. (3) Conducting a PIA should benefit organisations by producing better policies and systems and improving the relationship between organisations and individuals. (4) Conducting and publicising a PIA will help an organisation to build trust with the people using their services. (5) The actions taken during and after the PIA process can improve an organisation’s understanding of their customers. (6) There can be financial benefits; identifying a problem early will generally require a simpler and less costly solution. A PIA can also reduce the ongoing costs of processing by minimising the amount of information being collected or used where this is possible, and devising more straightforward processes for staff. (7) More generally, consistent use of PIAs will increase the awareness of privacy and data protection issues within an organisation. (8) As a minimum a GDPR reediness assessment or gap analysis should be undertaken as soon as possible. References: *Protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) • Article 35 Data protection impact assessment • **(1) Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. • (2) The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment. • (3) ***A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: – (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; – (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or – (c) a systematic monitoring of a publicly accessible area on a large scale. • (4) The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68. • (5) The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board. • (6) Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union. • (7) The assessment shall contain at least: • (a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; • (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; • (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and • (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Recommended

GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
Protection of patient data in EU vs. US
Protection of patient data in EU vs. USProtection of patient data in EU vs. US
Protection of patient data in EU vs. USErik R. Ranschaert, MD, PhD
 
Impact of GDPR on Data Science Projects - Jagdev Bhogal (Birmingham City Univ...
Impact of GDPR on Data Science Projects - Jagdev Bhogal (Birmingham City Univ...Impact of GDPR on Data Science Projects - Jagdev Bhogal (Birmingham City Univ...
Impact of GDPR on Data Science Projects - Jagdev Bhogal (Birmingham City Univ...BCS Data Management Specialist Group
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
 
Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Pat Coyle
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4Jim Kaplan CIA CFE
 

Recommended

GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
Protection of patient data in EU vs. US
Protection of patient data in EU vs. USProtection of patient data in EU vs. US
Protection of patient data in EU vs. USErik R. Ranschaert, MD, PhD
 
Impact of GDPR on Data Science Projects - Jagdev Bhogal (Birmingham City Univ...
Impact of GDPR on Data Science Projects - Jagdev Bhogal (Birmingham City Univ...Impact of GDPR on Data Science Projects - Jagdev Bhogal (Birmingham City Univ...
Impact of GDPR on Data Science Projects - Jagdev Bhogal (Birmingham City Univ...BCS Data Management Specialist Group
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
 
Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Pat Coyle
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4Jim Kaplan CIA CFE
 
GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?Samuel Pouyt
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?Faidepro
 
When product approval data can be manipulated, why exclusivity and data prote...
When product approval data can be manipulated, why exclusivity and data prote...When product approval data can be manipulated, why exclusivity and data prote...
When product approval data can be manipulated, why exclusivity and data prote...VIJAY SARDANA
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR readyPremier EPOS
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationSudarsan Reddy
 
Wolters Kluwer GDPR Webinar 9 May 2018
Wolters Kluwer GDPR Webinar 9 May 2018 Wolters Kluwer GDPR Webinar 9 May 2018
Wolters Kluwer GDPR Webinar 9 May 2018 Jonathan Chilton
 
The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)FOTIOS ZYGOULIS
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Jim Kaplan CIA CFE
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12Jim Kaplan CIA CFE
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsElliot Reeman
 
Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018MRS
 
IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020Fullstaak
 
BDO-ACEDS 10-29-14 Webcast
BDO-ACEDS 10-29-14 WebcastBDO-ACEDS 10-29-14 Webcast
BDO-ACEDS 10-29-14 WebcastLogikcull.com
 
Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Jim Kaplan CIA CFE
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONSaurabh Pandey
 
Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfDarylBallesteros3
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM TyszkaJean-Michel Tyszka
 
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...TrustArc
 
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Morgan
 
Reconsidering IoT with respect to the GDPR
Reconsidering IoT with respect to the GDPRReconsidering IoT with respect to the GDPR
Reconsidering IoT with respect to the GDPRParag Narvekar
 

More Related Content

What's hot

GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?Samuel Pouyt
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?Faidepro
 
When product approval data can be manipulated, why exclusivity and data prote...
When product approval data can be manipulated, why exclusivity and data prote...When product approval data can be manipulated, why exclusivity and data prote...
When product approval data can be manipulated, why exclusivity and data prote...VIJAY SARDANA
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR readyPremier EPOS
 
Wolters Kluwer GDPR Webinar 9 May 2018
Wolters Kluwer GDPR Webinar 9 May 2018 Wolters Kluwer GDPR Webinar 9 May 2018
Wolters Kluwer GDPR Webinar 9 May 2018 Jonathan Chilton
 
The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)FOTIOS ZYGOULIS
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Jim Kaplan CIA CFE
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsElliot Reeman
 
Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018MRS
 
IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020Fullstaak
 
BDO-ACEDS 10-29-14 Webcast
BDO-ACEDS 10-29-14 WebcastBDO-ACEDS 10-29-14 Webcast
BDO-ACEDS 10-29-14 WebcastLogikcull.com
 
Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Jim Kaplan CIA CFE
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONSaurabh Pandey
 

What's hot (17)

GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?
 
When product approval data can be manipulated, why exclusivity and data prote...
When product approval data can be manipulated, why exclusivity and data prote...When product approval data can be manipulated, why exclusivity and data prote...
When product approval data can be manipulated, why exclusivity and data prote...
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR ready
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Wolters Kluwer GDPR Webinar 9 May 2018
Wolters Kluwer GDPR Webinar 9 May 2018 Wolters Kluwer GDPR Webinar 9 May 2018
Wolters Kluwer GDPR Webinar 9 May 2018
 
The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR Regulations
 
Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018
 
IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020
 
BDO-ACEDS 10-29-14 Webcast
BDO-ACEDS 10-29-14 WebcastBDO-ACEDS 10-29-14 Webcast
BDO-ACEDS 10-29-14 Webcast
 
Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10)
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
 

Similar to Why Data Protection Impact Assessment

Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfDarylBallesteros3
 
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...TrustArc
 
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Morgan
 
Reconsidering IoT with respect to the GDPR
Reconsidering IoT with respect to the GDPRReconsidering IoT with respect to the GDPR
Reconsidering IoT with respect to the GDPRParag Narvekar
 
Jisc GDPR conference
Jisc GDPR conferenceJisc GDPR conference
Jisc GDPR conferenceJisc
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELEugene Lee
 
Talk at IAPP London May 2020: Competition, and why the GDPR is failing
Talk at IAPP London May 2020: Competition, and why the GDPR is failing Talk at IAPP London May 2020: Competition, and why the GDPR is failing
Talk at IAPP London May 2020: Competition, and why the GDPR is failing Johnny Ryan
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare IndustryEMMAIntl
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRCase IQ
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranDr. Sami Zahran
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationat MicroFocus Italy ❖✔
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyLilian Edwards
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesTech Trust
 
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptxISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptxPECB
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2Paul Richards
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2Keith Purves
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorMSpadea
 

Similar to Why Data Protection Impact Assessment (20)

Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdf
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
 
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
 
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
 
Reconsidering IoT with respect to the GDPR
Reconsidering IoT with respect to the GDPRReconsidering IoT with respect to the GDPR
Reconsidering IoT with respect to the GDPR
 
Jisc GDPR conference
Jisc GDPR conferenceJisc GDPR conference
Jisc GDPR conference
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
 
Talk at IAPP London May 2020: Competition, and why the GDPR is failing
Talk at IAPP London May 2020: Competition, and why the GDPR is failing Talk at IAPP London May 2020: Competition, and why the GDPR is failing
Talk at IAPP London May 2020: Competition, and why the GDPR is failing
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami Zahran
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformation
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacy
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
 
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptxISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services Sector
 

Why Data Protection Impact Assessment

  • 1. Information & Text either in full or in part has been used from the ICO’s Conducting privacy impact assessments code of practice Data Protection Act and the Council of the European Union Interinstitutional File: 2012/0011 (COD) Document Author: Shaab Al-baghdadi 1 Data Protection Impact Assessment / Privacy Impact Assessment (PIA) The Need: Under Article 35 of the General Data Protection Regulation (GDPR)* there exists a requirement to conduct a PIA should any of the following apply: (1) A risk to the data subjects right to privacy result from the processing of their personal data** (2) Automated decisions are made, analytics are used on the data subject, sensitive data is processed or large amounts of data are processed*** (3) At present a PIA is best practice as stated by the Information Commoners Office (ICO), this will change under the GDPR (May 2018) to a requirement under (1),(2) above. (4) Answering ‘yes’ to any of the questions below is an indication that a PIA should be undertaken. Will the processing involve the collection of new information about individuals? Will the processing compel individuals to provide information about them selves? Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information? Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? Does the processing involve you using new technology, which might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition. Will the processing result in you making decisions or taking action against individuals in ways, which can have a significant impact on them? Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be particularly private. Will the processing require you to contact individuals in ways, which they may find intrusive? The benefits of a PIA: A PIA is a tool, which will help organisations to comply with their Data Protection Authority (DPA) obligations, as well as bringing further benefits. Carrying out an effective PIA should benefit both the people affected and the organisation carrying out the processing of personal identifiable information (PII). The ICO may often ask an organisation whether they have carried out a PIA. At present it is often the most effective way to demonstrate to the ICO how personal data processing complies with the DPA. The first benefit to individuals will be that they can be reassured that the organisations which use their information have followed best practice. A organisation which has been subject to a PIA should be less privacy intrusive and therefore less likely to affect individuals in a negative way. A second benefit to individuals is that a PIA should improve transparency and make it easier for them to understand how and why their information is being used. Organisations that conduct effective PIAs should also benefit. The process of conducting the assessment will improve how they use information which impacts on individual privacy. This should in turn reduce the likelihood of the organisation failing to meet its legal obligations under the DPA and of a breach of the legislation occurring.
  • 2. Information & Text either in full or in part has been used from the ICO’s Conducting privacy impact assessments code of practice Data Protection Act and the Council of the European Union Interinstitutional File: 2012/0011 (COD) Document Author: Shaab Al-baghdadi 2 Key points: (1) A PIA is a process, which assists organisations in identifying and minimising their privacy risks. (2) The PIA will help to ensure that potential problems are identified at an early stage, when addressing them will often be simpler and less costly. (3) Conducting a PIA should benefit organisations by producing better policies and systems and improving the relationship between organisations and individuals. (4) Conducting and publicising a PIA will help an organisation to build trust with the people using their services. (5) The actions taken during and after the PIA process can improve an organisation’s understanding of their customers. (6) There can be financial benefits; identifying a problem early will generally require a simpler and less costly solution. A PIA can also reduce the ongoing costs of processing by minimising the amount of information being collected or used where this is possible, and devising more straightforward processes for staff. (7) More generally, consistent use of PIAs will increase the awareness of privacy and data protection issues within an organisation. (8) As a minimum a GDPR reediness assessment or gap analysis should be undertaken as soon as possible. References: *Protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) • Article 35 Data protection impact assessment • **(1) Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. • (2) The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment. • (3) ***A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: – (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; – (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or – (c) a systematic monitoring of a publicly accessible area on a large scale. • (4) The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68. • (5) The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board. • (6) Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union. • (7) The assessment shall contain at least: • (a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; • (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; • (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and • (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.