Submitted by: Govind Kumar (PGDRM Batch Jan 2020)

Mentor: Alumni

What is PIA (Also called Data Protection Impact Assessment)?

Privacy impact assessment is a way of assessing impacts on project privacy, policy, service, product, or other activities that involve the processing of personal information and taking the necessary steps to avoid or minimize negative impacts.

The Canadian PIA Guidelines describe the PIA as “a process to determine the impacts of a proposal on an individual’s privacy and ways to mitigate or avoid any adverse effects”.

The PIA is a process for identifying and analyzing privacy risks and monitoring compliance with privacy laws. It includes looking at ways in which those risks can be avoided or minimized. 

When is PIA required?

• PI is required when the activity involves the collection of information of individuals.
• Where information about certain people is disclosed to organizations or individuals who have never had regular access to it.
• If personal information is used for purposes it is not currently used.
• When a project uses new technologies or processes that can be seen as an intrusion into an individual’s privacy.
• When information about certain people of a type may raise personal concerns. For example, health records, criminal records, or other information that people may consider particularly confidential.

Who needs to do PIA?

• If an organization processes Special Categories Data.
• Companies/organizations that process big data.
• If any organization/company records personal information.
• Companies/organizations that focus on their service/product towards children.

Why are Privacy Impact Assessments Conducted?

• Privacy impact assessments are performed to achieve the mentioned objectives:
• Evaluate security measures and procedures to reduce privacy risks.
• Establish the risks and implications of the current organizational process.
• Establish compliance with legal and regulatory procedures required for confidentiality.

Privacy impact assessment leads to privacy impact reports. The report often provides information on important aspects of the process of dealing with a multitude of personal information. This, in turn, allows for the ability to establish a mechanism by which procedural risks associated with the process can be effectively managed.

How to conduct PIA?

The process that an organization goes through when attempting a DPIA involves several steps:

1. Design: This first step is important in ensuring that DPIA has the information it operates on. The step is about creating an image of the data usage cycle. Where, from whom, why the data is collected, where does it go, how is it stored, who is responsible for processing this data? The aim should be to make a record of the division and collection of data throughout the life cycle and in every vendor ecosystem, which you use.
2. Creating awareness: Because DPIA involves all stakeholders on the lookout for data, one should let these participants know why DPIA is being done and what is involved.
3. Evaluation: This is the stage where one evaluates the privacy implications of service, process, or product. The test itself is a data control function and is performed under the supervision of the Data Protection Officer (DPO). The assessment looks at-risk data that would violate the GDPR’s authority.
4. Corrections: The information obtained in the test phase will allow to develop a corrective action to reverse the process by the GDPR.
5. Documentation and demonstration: Indicates that all procedures are now in line with the GDPR.

Benefits of a Data Protection Impact Assessment

Performing a Data Protection Impact Assessment before the start of the project will allow the organization to know the flow of information within the project from the beginning.

It will improve the communication about data privacy with different stakeholders. The organization can gain confidence between users and customers that process their data responsibly. Organizations can ensure that users are not at risk and reduce costs in the event of a security breach. It will also help you to reduce operating costs by making the information pass over time. Organizations will avoid GDPR penalties by keeping compliance.

Disclaimer

This report has been produced by students of Global Risk Management Institute for their own research, classroom discussions and general information purposes only. While care has been taken in gathering the data and preparing the report, the student’s or GRMI does not make any representations or warranties as to its accuracy or completeness and expressly excludes to the maximum extent permitted by law all those that might otherwise be implied. References to the information collected have been given where necessary.

GRMI or its students accepts no responsibility or liability for any loss or damage of any nature occasioned to any person as a result of acting or refraining from acting as a result of, or in reliance on, any statement, fact, figure or expression of opinion or belief contained in this report. This report does not constitute advice of any kind.