There is a frequent error about the conviction that the privacy impact assessment (also known as Data Protection Impact Assessment DPIA but hereafter named just PIA) is a new topic introduced only from the prevision of regulatory or by some member state regulation.
Actually, the PIA is the base of every “privacy assessment” from the beginning of privacy regulation, at least since the 1996. No information can be given, no consent can be freely expressed, without a basic impact assessment.
So it’s mendacious to think literally that the PIA intervene only “Where processing operations present specific risks to the rights and freedoms of data subjects”, according to the article 33, of the data protection regulatory draft.
The PIA has many different definitions, for eg European Commission, in 2012, gave the following definition:
as a process whereby a conscious and systematic effort is made to assess privacy risks to individuals in the collection, use and disclosure of their personal data. PIAs help identify privacy risks, foresee problems and bring forward solutions.
However, we do prefer the definition given from the PIAF Consortium, alternative, authoritative and, according with what we said before, more complete.
We can define a privacy impact assessment as a methodology for assessing the impacts on privacy of a project, policy, programme, service, product or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimise negative impacts.
A PIA is more than a tool: it is a process which should begin at the earliest possible stages, when there are still opportunities to influence the outcome of a project. It is a process that should continue until and even after the project has been deployed.
Most of the methodologies put emphasis on:
- PIA is a Process
- Steps proportional to risks and project size
- Senior management support and commitment
- Planning, Responsibilities, budget and deliverables should be established as soon as possible
- Identification of data treatment, flows, aims and need
- Compliance assessment with applicable legislation
- Privacy risk
- Risk management, particularly risk avoidance (minimal treatment principle)
- Adoption of Information Security methodologies for Risk Management
- Strong integration with project lifecycle from the beginning till the data secure erase
- Stakeholder involvement
- Publicity (at least partially) of the PIA results/report.
- Privacy Authorities involvement (Communication, collaboration, compulsory approval)
To these ingredients we can add: a link to privacy by design.
Moreover, PIA can intervene in the beginning, as we said, of the processing, but can also intervene when the processing has already started, we refer for eg to the data processing that will be interested by the new regulatory frame about PIA.
The cost of a PIA involves a case-by-case calculation, depending on the nature and scale of the exercise.
We hope in the near future, after the Regulation approval, the European Commission, more precisely the European Data Protection Supervisor, will define a common approach to PIA, taking account of the best practices, hopefully formalized by an ISO.