The French Data Protection Authority publishes its PIA manual

By | Tuesday July 21st, 2015

New guides for carrying out PIAs (Privacy Impact Assessments) have been published by the CNIL. The method will help data controllers to implement Privacy by design.
A PIA (Privacy Impact Assessment) relies on two pillars:

– The fundamental principles and rights, “non-negotiable”, fixed by law and that have to be complied with. They may -not be modulated, whatever the nature, severity and likelihood of the risks;

-Privacy Risk Management, which allows to determine the adequate technical and organizational controls to protect personal data.

To implement those two pillars, the approach consists in 4 steps:
Context study: define and describe the processing(s) of personal data under consideration, its(their) context and stakes;
Controls study: identify existing or planned controls (those to fulfill the legal requirements, and those to treat the privacy risks);
Risks study: assess the risks that are related to the security of data and that could have impacts on individuals’ privacy, in order to check if risks have been treated adequately ;
Validation: decide whether to accept the manner in which it is planned to fulfill legal requirements and to treat risks, or to reiterate the previous steps.

More details can be found in the following documents:

http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-1-Methodology-EN.pdf
http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-2-Tools-EN.pdf
http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-3-GoodPractices.pdf

Share with...Tweet about this on TwitterShare on LinkedInShare on Google+Share on Facebook
Category: Impact, Risk and Measures Tags: , ,

About Alessandro Cosenza

He is the Chief Information Security Officer (CISO) @ Bticino. He is responsible for maintaining the enterprise vision of ITC department . He works to ensure information assets and technologies are adequately protected. He manages the team in order to , develop, implements and maintain processes across the organization to reduce information and information technology (IT) risks. He works as a Data Privacy Officer regarding the ITC department . In this role he oversees all the activities related to the development, implementation, maintenance and adherence to the organisation’s privacy policies and procedures related the ITC department. He holds the ISACA certifications, Certified Information Security Auditor (CISA) and He is also member of CLUSIT (Associazione Italiana per la Sicurezza Informatica He partecipated and obtained a university certificate regards the course in "Computer forensics e Data protection" in the University of Milan, Faculty of Law

Leave a Reply