GDPR and Privacy Impact Assessments

5th January 2017 Author: InfoSaaS

Happy New Year to you!

There’s no doubt that 2017 will be a year of challenges and changes. Brexit progress, President Trump, IOT security, internet surveillance, the list goes on. Let’s not lose sight of the ever clicking countdown clock of GDPR (just over 500 days to go), the new EU-wide General Data Protection Regulation, which will replace the UK’s current Data Protection Act in May 2018.

As we’ve discussed before, having an effective and comprehensive Information Security Management System and ISO27001 certification is a great starting point. We have spent some time talking to our customers and partners about their GDPR planning and any identified challenges, and were interested to note that the requirement for effective Privacy Impact Assessments is one area where many feel unprepared.

We find that interesting partly because we’re near completion of a Privacy Impact Assessment solution (codenamed “Utopiar“), which will shortly be made available at minimal cost as a standalone service. By the end of Q1 2017 we will have this available – please do let us know if you would like to be advised of the release date or become an early adopter.

Why are Privacy Impact Assessments (PIA) useful? If we turn to the ICO* website for a moment, we can discover that:

  • A PIA is a process which assists organisations in identifying and minimising the privacy risks of new projects or policies
  • Conducting a PIA involves working with people within the organisation, with partner organisations and with the people affected to identify and reduce privacy risks
  • The PIA will help to ensure that potential problems are identified at an early stage, when addressing them will often be simpler and less costly
  • Conducting a PIA should benefit organisations by producing better policies and systems and improving the relationship between organisations and individuals

Further, the ICO* notes that PIA activities are intended to understand and assess the risk of harm from an intrusion into privacy from personal data being:

  • inaccurate, insufficient or out of date
  • excessive or irrelevant
  • kept for too long
  • disclosed to those who the person it is about does not want to have it
  • used in ways that are acceptable to or unexpected by the person it is about
  • not kept securely

So aside from GDPR compliance, effective PIA activities will help to build trust and confidence between data controllers/data processors and the data subjects themselves. As we progress through our own testing of “Utopiar”, we’re endeavouring to ensure that the step-by-step user experience and PIA effectiveness are combined to best support the GDPR needs of our customers:

  • Easy identification of activities and processes requiring PIA, can be used by all personnel with very minimal training
  • Logical progression through a series of questions and decisions helps to create a relevant, focused assessment document
  • Each PIA, when finalised, is created as a PDF within a library of assessments, which can easily be shared internally or with external interested parties

If you’d like more information, please contact us via www.infosaas.uk or telephone our Team on (+44) 0203 474 1290.