Data privacy has evolved from “nice to have” to a business imperative and critical issue. More and more people are asking questions us about how their personal data is used. Privacy is fast becoming an important issue for your brand. Even if you do not have a customer-facing business, the privacy of employees and others, is covered by legislation such as:
These laws and many others, depending on jurisdiction and geography, have created a set of stringent requirements when you handle personal data. This is compelling organizations to better manage and protect personal data to avoid significant fines and penalties. These can be hard to implement and manage. To date, in under 2-years since the GDPR was enacted, there has been around $126 million worth of GDPR fines and 160,000 data breach notifications.
You can meet those requirements by conducting a Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA). Which one you should do? In part one of this series of blogs, we will focus on differentiating between the two.
PIAs and DPIAs are complementary and do not replace each other. The combination of PIAs and DPIAs provides your organization with a comprehensive approach to privacy risks and a plan to mitigate those risks. While both Privacy Impact Assessments and Data Protection Impact Assessments are essential to a privacy program, they have distinct roles to play within an organization.
PIAs focus on assessing the impacts of organizational change and on the privacy risks that may result from these changes. PIAs are used primarily to identify and mitigate your organizational privacy risks. Privacy impact assessments are mandatory for federal institutions involving personal information in new or substantially modified programs.
PIAs must be submitted to the Office of the Privacy Commissioner (OPC) for review, and to the Treasury Board of Canada Secretariat (TBS) for approval. For more information, please take a look at ''A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada, OPC’’ and ''The Directive on Privacy Impact Assessment'' by the Treasury Board of Canada Secretariat.
The completion of a privacy impact assessment is not mandatory for private sector organizations. However, it is considered a best practice and is used by organizations wishing to improve their privacy maturity. In addition, federal and provincial legislation are currently being reassessed. This could lead to significant strengthening of protection measures. We can't say it enough: Data Privacy is critical for your business.
DPIAs are very detailed on specific processes and focus primarily on their impact on the data subject. A DPIA is used to identify the risks associated with the processing of personal data, to mitigate them and as a means of demonstrating compliance with Privacy legislation.
In addition, performing a DPIA is a way to ensure the principles of privacy by design and default (a key part of the mandate of GDPR) are fulfilled. And you will be able to fulfill the principle of accountability and demonstrate your organization’s compliance imposed by the GDPR.
“Working Group 29” (WG29) worked out practical solutions to certain aspects of GDPR. Those guidelines have since been adopted by the European Data Protection Board (EDPB). However, before applying these criteria, it is advisable to verify whether the process you updated or changed requires a compulsory DPIA or if it is exempt.
The guidelines provide a series of nine criteria used to assess the risk of a data processing operation. This helps inform your decision in performing a DPIA, that is, do you carry out any of these operations:
If your company does fall into a DPIA relevant organization, it is very important to carry one out. The incorrect application or a missing Data Protection Impact Assessment can result in fines of 10 million euros or 2% of gross revenue, whichever is higher.
A DPIA should always be done BEFORE processing has begun (since the introduction of the GDPR). However, if a process is already in place, a Data Protection Impact Assessment is an ongoing activity, so existing processes can be woven in.
According to GDPR Article 35, a DPIA is a process made up of four elements:
The process that you go through when attempting a DPIA involves several steps:
A DPIA is not a one-off exercise. On the contrary, best practices dictate that you do one every three (3) years. That being said, things change, processes are updated, data is modified, and so on. In which case the recommendation would be to do a Data Protection Impact Assessment as soon as a major update or modification is implemented.
A PIA|DPIA, may or may not, be a mandatory requirement for a company to be compliant with GDPR, CCPA or PIPEDA. But doing one can give a company important insights into its operational processes as it relates to data privacy. It is an exercise that will ultimately bring you into compliance with the different laws. It will also assist you with the other data protection regulations. Your organization will acquire the intelligence needed to ensure that privacy violations do not happen on your watch.