Understand the Importance of Privacy Impact Assessments (PIAs)
Learn about Data Protection Impact Assessment, Privacy Impact Assessment, who benefits from PIAs, and how to conduct a PIA effectively. Discover how PIAs safeguard privacy interests, reduce costs, demonstrate compliance, and enhance decision-making processes.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
PIA is a Process Designing for Privacy Leonardo H. Iwaya CC-BY-4.0
What is Data Protection Impact Assesment? Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Art. 35 GDPR.
What is Privacy Impact Assesment? A privacy impact assessment (PIA) is an instrument for assessing the potential impacts on privacy of a process, information system, programme, software module, device or other initiative which processes personally identifiable information (PII) and, in consultation with stakeholders, for taking actions as necessarily in order to treat privacy risk. ISO/IEC 29134:2017.
Who benefits from PIAs? They do: Your customers and general public because you are looking out for their privacy interests Your organisation because you demonstrate to your employees and contractors that you take privacy seriously and expect them to the same The regulators because when you carry out a proper PIA you clarify your project information dealings, making their work easier
Who benefits from PIAs? Not sure yet? A PIA helps to reduce costs in management time, legal expenses and potential negative media (i.e., PR also likes it) A PIA helps to demonstrate compliance as an element of accountability A PIA enhances informed decision-making and exposes internal communication gaps or hidden assumptions A PIA helps to avoid privacy pitfalls of a project And, well... it might be mandatory...
How do you do PIA? [PIA] is a process which should begin at the earliest possible stages, when there are still opportunities to influence the outcome of a project. It is a process that should continue until and even after the project has been deployed. David Wright The state of art in PIA (2012)
How do you do PIA? While each project is different, a PIA should generally include the following steps: OIC Queensland Overview of the Privacy Impact Assessment process (2017) 1. Conduct a threshold assessment Work out the extent to which the project will benefit from a PIA. Generally, if personal information is involved in the project, a PIA will be necessary. 2. Plan the PIA Consider how detailed the PIA will be, who will conduct it, who needs to be consulted, when it needs to be delivered, and whether the PIA Report will be published and if so, in what format. 3. Describe the project Prepare a big picture description of what the project will deliver and what it will achieve, why it is needed, timeframes, and any links to existing projects. This will provide context for the PIA process. 4. Identify and consult with stakeholders Identify who has an interest in or is affected by the project, the level of consultation warranted by the project and how the consultation will be conducted. 5. Map the personal information flow Describe how personal information will be collected, stored, used and disclosed in the project from beginning to end. 6. Identify the privacy issues Compare the project s personal information handling practices against the privacy obligations set out in the [GDPR] to identify any privacy issues. 7. Identify options to address the privacy issues Consider what options will address the privacy issues. If there are multiple options, evaluate the cost, risk and benefit of each option to identify the most appropriate option. 8. Prepare the PIA Report Provide a report that sets out the information gathered throughout the PIA and its findings to the relevant governance body for approval. 9. Action the agency's response to the PIA Report Incorporate the tasks necessary to action the agency's response to the PIA Report into the wider project management process.
References EU GDPR, 2017. Article 35 EU GDPR Data protection impact assessment . (http://www.privacy-regulation.eu/en/35.htm) ISO/IEC 29134, 2017. Information technology Security techniques Guidelines for privacy impact assessment. (https://www.iso.org/standard/62289.html) Wright, D., 2012. The state of the art in privacy impact assessment. Computer Law & Security Review, 28(1), pp.54-61. Clarke, R., 2009. Privacy impact assessment: Its origins and development. Computer law & security review, 25(2), pp.123-135. OIC, 2017. Overview of the Privacy Impact Assessment (PIA) process. (https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy- principles/privacy-compliance/overview-privacy-impact-assessment-process) Icons and Images Graphiqa Stock (https://www.iconfinder.com/graphiqa) Vectto (https://www.iconfinder.com/vectto) Alla Afanasenko (https://www.iconfinder.com/alla.afanasenko)
