Reaching a level of “privacy by design and default” does not have to be an uphill battle for your organization. By implementing the tools and outlined by the GDPR, ascending to higher levels of data protection becomes achievable.
You can start by re-envisioning your privacy impact assessment.
Let’s explore data privacy impact assessments and how they can help you.
The Privacy Impact Assessment
A privacy impact assessment, sometimes referred to by the GDPR as a Data Protection Impact Assessment (DPIA: you can use privacy and protection interchangeably here), is a risk framework.
If you, or your organization, have ever carried out a risk assessment, you will feel familiar with a DPIA. The element of risk within the DPIA is individuals’ personally identifiable information. The individuals within the regulation are referred to as natural persons. A natural person is just a legal way of saying living and breathing people.
If the element that we are trying to protect is the natural persons’ PII, then the risk factors of the framework become anything that could jeopardize those data subjects’ privacy or the rights and freedoms of those individuals.
The above means a DPIA is a risk strategy used to find the impact on data subjects’ privacy or protection when starting new projects.
And lastly, for this article, projects are the short-form way of saying: “products, services, new technologies, or processes.”
We distinguish between new technologies and products because sometimes new tech can be intra-organizational and not used for wider public consumption but may still involve the use of data subjects PII. (This is also true within the context of the regulation.)
An example of this would be new in-house software that streamlines the recruitment process. This software would have to churn through some sensitive PII to correctly perform its functions and require a DPIA before rollout.
When Should You Use a DPIA
It’s good to know the basics of a DPIA, but it’s better to know when appropriate to use one.
The GPDR outlines the need for a DPIA in article 35 of the regulation. And under the law, your organization is legally required to carry out a privacy impact assessment when a new project may pose a high risk to the natural persons’ rights and freedoms.
So if you believe that a new project could pose a risk to the rights and freedoms, then it would be an excellent time to conduct a DPIA and assess whether the risk level is acceptable or not.
Here is a DPIA quick-step guide:
Image Source: DPIA Quick-Step Guide, GPDR and Cybersecurity for Business Information Systems Pg 171.
This flow chart will give you a basic understanding of what is involved in creating a DPIA. In the next section, we will explore this in more detail.
How To Create an Effective DPIA
If we refer to the DPIA steps guide, the first thing you will need to do is determine if there is even a need to conduct a DPIA. A good rule of thumb is if a new project involves any PII, sensitive or not, a DPIA is likely necessary.
In the cases where PII is highly sensitive, then a DPIA must be carried out. And as a reminder, we discussed in the previous section, according to the regulation, if PII is not involved in the new project. Still, the project could result in a violation of the natural persons’ rights and freedoms, you must conduct a DPIA.
Keep in mind that the DPIA is meant to ascertain if a risk to the natural persons is present.
If you have decided that a DPIA is needed, the next step would be to understand the new projects’ information life cycle.
Understanding the Information System
Within the context of a DPIA, the information system will involve understanding:
- The collection of PII
- The method of collection
- The type of PII (health, financial, physical, etc.)
- The storage of PII
- Cloud storage
- Server locations
- The processing of PII
- Order processing
This step makes up a part of the pre-planning. It is also useful in aiding you to understand if a DPIA will be required. Using a data flow map is incredibly useful for this stage, and having one ready will streamline this part of the process.
Understanding the Privacy Risks
This part is the entire reason you are conducting a privacy impact assessment in the first place. But the preliminary steps make this section possible.
Once you have a general understanding of PII’s collection, storage, and processing, seeing potential risks becomes easier.
For example, you have created a data flow map indicating where you’ll collect the data. You then notice that the data collection is sourced from a third-party vendor. There is a possibility that without proper third-party risk management, there could be a high risk to rights and freedoms associated with this type of collection. So your options are to create a secure in-house method of collection or find an alternative source.
This process is called a gap analysis. When you find any potential risks, you must then conduct a gap analysis to see where the gaps that create the risk are occurring.
Finally, you must then take steps to try and mitigate the risks to an acceptable level. After you have done this and the necessary authorities within the organization sign off on the process, you are acceptable within the eyes of the law.
How It Can Benefit Your Organization
DPIA is a great way to build trust with your customer base. The more transparent you are about business operations involving your customer’s PII, the more confidence you can instill. This transparency will also build into the organization’s security culture, meaning staff will become more conscious of privacy issues in the long-term.
This culture is what the GDPR refers to as “privacy by design and default.” The GDPRs intention as a legal document is to get an organization to a state of privacy and protection that becomes a default setting for new start-ups and within all business environments. Carrying out DPIA’s demonstrates your organization’s progress toward privacy by design.
Conducting DPIAs also help with complying with other aspects of the regulation. Such as purpose limitation– a doctrine within the law that requires organizations to limit data collection to only what is necessary for business operation. A DPIA will force you to think about what data you are collecting, and you will often find that collecting too much unnecessary data becomes a liability.
Lastly, you will find that DPIA’s are handy tools for your Data Protection Officer (DPO), or yourself if you happen to fulfill that role for your organization.
If you find yourself struggling with privacy impact assessment or any measures within the GDPR, we are here for you.
RSI Security is the nation’s premier security provider. With years of compliance experience, we can sort out your GDPR requirements in no time. Get in contact today and book a free consultation.