A practical guide to impact assessments - PDP

1 D A T A P R O T E C T I O N I R E LA N D VOLUME 9, ISSUE 4. A practical C. arrying out an impact The momentum behind PIAs contin- assessment (also known as ued to build with the inclusion of im- a privacy impact assess - pact assessments in the GDPR. ment , PIA, data protection guide to impact assessment , risk assessment ). as part of any new project involving When is an impact personal data is currently a best assessment required under impact practice requirement in Ireland. On 25th May 2018 when the General Data Protection Regulation ( GDPR').

2 The GDPR? Under the GDPR, it will be a legal assessments comes into force, PIAs will be manda- tory in certain circumstances. This requirement to complete a data article gives guidance on undertaking protection impact assessment in impact assessments based on experi- certain high risk' circumstances. ence, the current published guidance Such circumstances are defined in and the new requirement in the Article 35 of the GDPR as where a GDPR. type of processing in particular using new technologies, and taking into The term new project' is used account the nature, scope, context throughout this article to refer to any and purposes of the processing, is novel processing, including develop- likely to result in a high risk to the ment and implementation of new rights and freedoms of natural per- technology, a different way of doing sons, the controller shall, prior to the things or a material change to exist- processing.

3 Carry out an assessment ing processes. of the impact of the envisaged pro- Nicola Fulford, Partner and cessing operations on the protection Head of Data of personal data'. Background and best Protection and privacy , The GDPR specifies that data practice requirement controllers are in particular required and Krysia Oastler, to complete an impact assessment in Data Protection and In terms of existing guidance, the the case of: European Commission's privacy Im- privacy Associate, pact assessment Framework ( PIAF')

4 A systematic and extensive project defines a PIA as a systematic evaluation of personal aspects Kemp Little LLP, provide process for evaluating the potential relating to natural persons practical advice on how effects on privacy of a project, initia- which is based on automated tive or proposed system or scheme processing, including profiling, to prepare for when and finding ways to mitigate or avoid and on which decisions are PIAs become mandatory any adverse effects'. based that produce legal effects concerning the natural person or There are few publicly available Irish similarly significantly affect the resources relating to privacy impact natural person; and assessments , so some Irish organisa- tions have been relying on guidance processing on a large scale of special categories of data/.

5 Published by the UK regulator, the sensitive personal data or system- Information Commissioner's Office atic monitoring of a publicly acces- ( ICO'), which published its PIA Hand- sible area on a large scale. book in December 2007 (and has since published updates). In our ex- A single assessment may address a perience, the ICO will ask the data set of similar processing operations controller whether an impact assess - that present similar high risks. ment was completed in relation to the processing activity. Supervisory authorities are tasked with publishing a list of the kind of In 2011, the Article 29 Working processing operations which are Party published a privacy and data subject to the requirement for an protection impact assessment frame- impact assessment (and may also work for RFID applications.)

6 Finally, publish a list of processing operations the French regulator (the CNIL) pub- that are not subject to the require- lished a comprehensive PIA manual ment ). in 2015, which includes a methodolo- gy, tools and good practices. D A T A P R O T E C T I O N I R E LA N D VOLUME 9, ISSUE 4. practical steps for carrying The GDPR prescribes that the who will they be shared with;. out an impact assessment assessment shall contain at least: where will they be processed and a systematic description of the stored; and This section sets out some practical envisaged processing operations steps for carrying out an impact and the purposes of the pro- when will they no longer be need- assessment .

7 Cessing, including, where applica- ed. ble, the legitimate interest pur- Before going into the sued by the controller; These questions may be included in practical steps, and given a form for project owners to complete that impact assessments an assessment at the beginning of the project, or as are more effective when of the necessity and prompts for discussion in initial pro- they are started early It appears proportionality of the ject meetings/ privacy consultations. on in the development that the processing operations of a new project, how do in relation to the Getting the answers to these you ensure that privacy is answer is not purposes; questions can be challenging, as a consideration in the first as simple it involves working with many parts an assessment of place?

8 Of the organisation and its suppliers/. as merely the risks to the rights subcontractors who may not be able and freedoms of data Training and awareness moving to answer all of the questions at the subjects; and raising is a good place to beginning of the project. start. However, having across from the measures solid controls in place, legitimate envisaged to address 2. Check legal compliance such as privacy trigger the risks, including points in existing project interests' safeguards, security Once you have an initial understand- and risk management to consent'.

9 Measures and mecha- ing of the project, the data flows and practices, is the best way nisms to ensure the the purpose of the processing, to ensure that privacy is Instead, the protection of personal the next step is to consider and considered early on. data and to demon- check legal compliance. This is solution may most effective when carried out strate compliance with The ICO commissioned a lie in the GDPR taking into early on in the project's life; it is an study to understand how account the rights and opportunity to structure the project in responding a legally compliant way.

10 PIAs can be better inte- legitimate interests of grated with existing pro- to the overall data subjects and oth- ject and risk management er persons concerned. Part of this step entails an assess - move ment of the necessity and proportion- tools and how to make PIAs more practical and towards 1. Understanding ality of the processing but also effective. The findings and documenting the other principles. For example, show that there are a transparency how the notice requirements are personal data number of places where and control, achieved, which condition(s) for the impact assessment The first step processing are satisfied, how data process may be built into by evolving minimisation will be applied, how and an ongoing one the main project and risk a two-way when completing a PIA individuals' rights will be fulfilled and management practices.