Privacy Impact Assessments for GDPR Compliance
In this series of articles I will be looking at the new data protection regulation (GDPR) that come into force in the UK and Europe in the spring. I will be examining how GDPR will affect the development and design of organisational information to comply with the GDPR's "data protection by design" requirement.
Photo by Florian Pérennès / Unsplash
In the previous articles in this series I've attempted to clarify what GDPR compliance means for those people responsible for information systems in UK organisations. In the last article I reviewed the key principles of "Privacy By Design". In this article I will talk about Privacy Impact Assessments (PIAs) and how they can help an organisation prepare to have taken appropriate measures to become GDPR compliant.
It is important to note, and indeed the ICO do in their code of practice for PIAs, that carrying out the assessment is not a legal requirement. It has to be said that caveat has the same ring to it as: "You do not have to say anything but it may harm your defence if you do not mention when questioned something which you later rely on in court."
One of the key things to understand about the early days of the GDPR will be that there will be very few absolutes when it comes to knowing whether you are compliant or not. Until a reasonable amount of complaints regarding GDPR non-compliance have been heard in court organisations want as many assurances as possible they will end up in the box marked "safe" rather than the other one.
A PIA, applied correctly, would be one extra assurance that due diligence has been applied to the compliance process. Not that a PIA is mandatory in all circumstances, however the ICO's code of practice identifies the following situations where a PIA would be useful:
- Planning a new data storage system
- Planning a data sharing initiative with another organisation
- Profiling of demographics for the purposes of acting upon that identification
- New uses of existing data (where the use is "unexpected" or likely to be "more intrusive")
- The implementation of a new surveillance system, especially if it is intended to monitor members of the public
- The implementation of a new database consolidating disparate data items held by separate parts of an organisation
- Drafting of legislation, policies or strategies which will impact on privacy through the collection and use of information, or through surveillance or other monitoring
It is clear that a PIA should accompany any major systems work to be carried out regarding a company's data stores. It is worth noting again that "systems work" includes the sharing and consolidation of existing data.
The code of conduct goes onto identify the steps that should be included in a PIA process:
- Identify the need for a PIA
- Description of the information flows
- Identification of privacy and related risks
- Identification and evaluation of privacy solutions
- Sign off and record the PIA outcomes
- Integrate the outcomes into the project plan
- Ongoing consultation with internal and external stakeholders throughout the process
The code of practice document gives more detail on these steps and in its annexes gives boilerplate documentation to assist with the execution of a PIA. This makes the Code of Practice document pretty much essential for organisations preparing for GDPR compliance.
In this series of articles I have examined the upcoming requirement for GDPR compliance as it relates to systems implementation and design. I have clarified the need for PIAs as a crucial component in the process of building and developing systems that implement the Privacy By Design Framework. If you have any questions regarding the upcoming development of a GDPR compliant system please feel free to contact us via email hello@digital-morphosis.com or telephone 02921 660 621
