Data privacy has evolved from “nice to have” to a business imperative and critical issue. More and more people are asking questions us about how their personal data is used.  Privacy is fast becoming an important issue for your brand. Even if you do not have a customer-facing business, the privacy of employees and others, is covered by legislation such as:

• The EU’s General Data Protection Regulation (GDPR)
• The California Consumer Privacy Act (CCPA)
• The Canada Privacy Act
• The Personal Information Protection and Electronic Documents Act (PIPEDA)

These laws and many others, depending on jurisdiction and geography, have created a set of stringent requirements when you handle personal data. This is compelling organizations to better manage and protect personal data to avoid significant fines and penalties. These can be hard to implement and manage. To date, in under 2-years since the GDPR was enacted, there has been around $126 million worth of GDPR fines and 160,000 data breach notifications.

You can meet those requirements by conducting a Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA). Which one you should do? In part one of this series of blogs, we will focus on differentiating between the two.

The difference between a Privacy Impact Assessment (PIA) and a Data Protection Impact Assessment (DPIA)

PIAs and DPIAs are complementary and do not replace each other. The combination of PIAs and DPIAs provides your organization with a comprehensive approach to privacy risks and a plan to mitigate those risks. While both Privacy Impact Assessments and Data Protection Impact Assessments are essential to a privacy program, they have distinct roles to play within an organization.

What is a Privacy Impact Assessment good for?

PIAs focus on assessing the impacts of organizational change and on the privacy risks that may result from these changes. PIAs are used primarily to identify and mitigate your organizational privacy risks. Privacy impact assessments are mandatory for federal institutions involving personal information in new or substantially modified programs.

PIAs must be submitted to the Office of the Privacy Commissioner (OPC) for review, and to the Treasury Board of Canada Secretariat (TBS) for approval. For more information, please take a look at ''A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada, OPC’’ and ''The Directive on Privacy Impact Assessment'' by the Treasury Board of Canada Secretariat.

The completion of a privacy impact assessment is not mandatory for private sector organizations. However, it is considered a best practice and is used by organizations wishing to improve their privacy maturity. In addition, federal and provincial legislation are currently being reassessed. This could lead to significant strengthening of protection measures. We can't say it enough: Data Privacy is critical for your business.

What about the Data Protection Impact Assessment?

DPIAs are very detailed on specific processes and focus primarily on their impact on the data subject. A DPIA is used to identify the risks associated with the processing of personal data, to mitigate them and as a means of demonstrating compliance with Privacy legislation.

In addition, performing a DPIA is a way to ensure the principles of privacy by design and default (a key part of the mandate of GDPR) are fulfilled. And you will be able to fulfill the principle of accountability and  demonstrate your organization’s compliance imposed by the GDPR.

Does Your Company Need to Do a DPIA?

“Working Group 29” (WG29) worked out practical solutions to certain aspects of GDPR. Those guidelines have since been adopted by the European Data Protection Board (EDPB). However, before applying these criteria, it is advisable to verify whether the process you updated or changed requires a compulsory DPIA or if it is exempt.

The guidelines provide a series of nine criteria used to assess the risk of a data processing operation. This helps inform your decision in performing a DPIA, that is, do you carry out any of these operations:

1. Evaluation or scoring - examples include screening a customer when they attempt certain transactions, i.e., anti-money laundering checks.
2. Automated decision making with legal or similar significant effect - profiling people that could impact a decision.
3. Systematic monitoring - situations where a person may not be aware of who is collecting their data why.
4. Sensitive data or data of a highly personal nature - for example, health data or political affiliations.
5. Data processed on a large scale - whilst the GDPR does not explicitly define what ‘large-scale’ is, more information can be found in recital 91.
6. Matching or combining datasets
7. Data concerning vulnerable data subjects - such as minors.
8. Innovative use or applying new technological or organizational solutions - for example, combining multiple biometric types.
9. The processing prevents data subjects from exercising a right or using a service or a contract - for example, bank customer screening.

What to do if you meet the requirements of a DPIA relevant organization?

If your company does fall into a DPIA relevant organization, it is very important to carry one out. The incorrect application or a missing Data Protection Impact Assessment can result in fines of 10 million euros or 2% of gross revenue, whichever is higher.

A DPIA should always be done BEFORE processing has begun (since the introduction of the GDPR). However, if a process is already in place, a Data Protection Impact Assessment is an ongoing activity, so existing processes can be woven in.

What Does a DPIA Involve?

According to GDPR Article 35, a DPIA is a process made up of four elements:

1. Element One: a description of the envisaged processing operations and the purposes of the processing
2. Element Two: an assessment of the necessity and proportionality of the processing
3. Element Three: an assessment of the risks to the rights and freedoms of data subjects
4. Element Four: the measures envisaged to address the risks and demonstrate compliance with the GDPR

DPIA as a Process

The process that you go through when attempting a DPIA involves several steps:

1. Design: This first step is essential to making sure the DPIA has information to work from. The design step is all about forming a picture of your data use cycle. Where, from whom, why, you collect data. Where does it go to, how is it stored, who has responsibility for the processing of these data? You should aim to create a classification record and inventory of your data throughout its entire lifecycle and across any vendor ecosystem, you use.
2. Building awareness: Because a DPIA involves all stakeholders in your data landscape, you should make these stakeholders aware of why you are doing a DPIA and what it involves.
3. Assessment: This is the stage where you check the privacy impact of your service, operation or product. The assessment itself is the responsibility of the data controller and done under the watch of the Data Protection Officer (DPO). The assessment looks at the risks that data will violate the GDPR mandate and measures you have to de-risk this.
4. Remediation: The information gleaned from the assessment stage will allow you to work out a remediation strategy to bring the process back into line with the GDPR.
5. Documentation and demonstration: Showing that your processes are now in compliance with the GDPR.

A DPIA is not a one-off exercise. On the contrary, best practices dictate that you do one every three (3) years. That being said, things change, processes are updated, data is modified, and so on. In which case the recommendation would be to do a Data Protection Impact Assessment as soon as a major update or modification is implemented.

Conclusion

A PIA|DPIA, may or may not, be a mandatory requirement for a company to be compliant with GDPR, CCPA or PIPEDA. But doing one can give a company important insights into its operational processes as it relates to data privacy. It is an exercise that will ultimately bring you into compliance with the different laws. It will also assist you with the other data protection regulations. Your organization will acquire the intelligence needed to ensure that privacy violations do not happen on your watch.