GDPR and Privacy Impact Assessments
5th January 2017
Happy New Year to you!
There’s no doubt that 2017 will be a year of challenges and changes. Brexit progress, President Trump, IOT security, internet surveillance, the list goes on. Let’s not lose sight of the ever clicking countdown clock of GDPR (just over 500 days to go), the new EU-wide General Data Protection Regulation, which will replace the UK’s current Data Protection Act in May 2018.
As we’ve discussed before, having an effective and comprehensive Information Security Management System and ISO27001 certification is a great starting point. We have spent some time talking to our customers and partners about their GDPR planning and any identified challenges, and were interested to note that the requirement for effective Privacy Impact Assessments is one area where many feel unprepared.
Why are Privacy Impact Assessments (PIA) useful?
If we turn to the ICO* website for a moment, we can discover that:
- A PIA is a process which assists organisations in identifying and minimising the privacy risks of new projects or policies
- Conducting a PIA involves working with people within the organisation, with partner organisations and with the people affected to identify and reduce privacy risks
- The PIA will help to ensure that potential problems are identified at an early stage, when addressing them will often be simpler and less costly
- Conducting a PIA should benefit organisations by producing better policies and systems and improving the relationship between organisations and individuals
Further, the ICO* notes that PIA activities are intended to understand and assess the risk of harm from an intrusion into privacy from personal data being:
- inaccurate, insufficient or out of date
- excessive or irrelevant
- kept for too long
- disclosed to those who the person it is about does not want to have it
- used in ways that are acceptable to or unexpected by the person it is about
- not kept securely
So aside from GDPR compliance, effective PIA activities will help to build trust and confidence between data controllers/data processors and the data subjects themselves. As we progress through our own testing of, we’re endeavouring to ensure that the step-by-step user experience and PIA effectiveness are combined to best support the GDPR needs of our customers:
- Easy identification of activities and processes requiring PIA, can be used by all personnel with very minimal training
- Logical progression through a series of questions and decisions helps to create a relevant, focused assessment document
- Each PIA, when finalised, is created as a PDF within a library of assessments, which can easily be shared internally or with external interested parties