In which cases is a PIA mandatory?
As mentioned above, it is mandatory to conduct a PIA when the processing of the data may give rise to a high risk for the rights and freedoms of the data subjects of the collection, such as in the following cases:
- The processing is included in the list of types of processing operations for which the CNIL (supervisory authority of the European General Regulation on Data Protection) requires a PIA // https://www.cnil.fr/sites/default/files/atoms/files/liste-traitements-aipd-requise.pdf
- The data processing meets at least two of the following criteria:
- Evaluation/profiling
- Automatic decision with legal or similar effect
- Systematic monitoring
- Collection of sensitive data
- Large-scale collection of personal data
- Cross-referencing of data
- Data concerning vulnerable people (patients, children, elderly)
- Innovative use with the use of new technology
- Exclusion of the benefit of a right and a contract
How to conduct a privacy impact assessment?
A Privacy Impact Assessment (GDPR PIA) should contain at least:
- A description of the processing operations, the purposes of the data processing, a description of the legitimate interest of the data controller in the collection and processing of such personal data
- An assessment of the necessity and proportionality of the different processing operations according to the purposes of the data processing operations
- An assessment of the risks to the rights and freedoms of the data subjects by the collection and processing of personal data
- The measures envisaged in the event of risks guarantees, measures and security mechanisms to ensure the protection of personal data and to provide proof of compliance with the GDPR
To carry out this impact analysis, the CNIL describes the following method:
- Delimitation and description of the data processing context
- Analysis of measures ensuring the proportionality and necessity of data processing and the protection of the rights of data subjects
- Assessment of privacy risks related to the security of personal data
- Formalisation of the validation of the privacy impact assessment based on the above elements
What is a PIA GDPR?
A PIA GDPR is a key step in bringing your structure into compliance. It makes the Data Protection Officer and his relays responsible. It is a tool for building a data processing system that complies with the GDPR and respects the privacy of the persons concerned by the collection and processing of personal data. Indeed, the processing of personal data can generate a risk for the rights and freedoms of the persons concerned. The DPO will make it possible to implement a level of security proportionate to the risk that the processing presents.
The PIA GDPR is mandatory for processing operations that are likely to give rise to high risks to the privacy rights and freedoms of data subjects through the collection and processing of data.
Moreover, a PIA may concern a single data processing operation or a set of similar operations. For example: the SNCF can carry out a single impact analysis on the video surveillance system deployed in its various stations.
What is a privacy risk?
In the context of a PIA GDPR, a risk to the privacy of the persons concerned by the collection and processing of personal data may be :
- A dreaded event: such as a breach of confidentiality or data integrity and the potential impact of such breaches on the rights and freedoms of the data subjects by the collection and processing of personal data
- All threats to the rights and freedoms of the persons concerned by the collection and processing of data
This risk is estimated in terms of severity and likelihood. Moreover, the seriousness of this risk is assessed for the data subjects and not for the company responsible for the data processing.
Training to carry out a PIA GDPR
To help you carry out your privacy impact analysis, our RGPD Academy training centre provides you with specialised training:
Privacy Impact Analysis (PIA) training (virtual classroom): this 2 half-day training course is aimed at DPOs, and project managers.
During this training you will:
- Determine and implement a methodology for analyzing the impact of a processing operation on the data
- Develop tools (reference systems, analysis grid) to manage risks and
- Accompanying and documenting decision making
- Analyze the evaluation of the results of the Privacy Impact Assessment (exploitation of the results, privacy risk assessments, PIA validation)
Who can carry out a privacy impact assessment?
The privacy impact assessment should be carried out by the DPO or the person in charge of compliance within the company. If the controller has appointed a DPO for his or her company, the DPO will be responsible for carrying out the privacy impact assessment and ensuring compliance with the GDPR of the structure where he or she operates.
In addition, this analysis will require the intervention of the project managers and the technicians supervising its development.
