PIA: Privacy Impact Assessment

Theory and tips for daily practice.

A Privacy Impact Assessment (PIA) is a risk analysis method specifically related to risks concerning personal data.

It consists of a long list of elements to be assessed and criteria to be met:

• elements defining the data processing;

• legal and regulatory risk criteria;

• technical risk criteria.

These criteria are followed by a framework for assessing the level of risk that the data processing poses to the privacy of data subjects, an action plan to mitigate that risk, and finally an assessment of the level of residual risk after the action plan.

Finally, the formal part consists of a signature of the DPO affirming that the PIA has been carried out in a reliable manner, and a countersigned decision of the controller to implement, or not to implement, the processing operation with respect to the assessed risks.

Context of use

A PIA is a methodological element introduced when the GDPR came into force in May 2018.

The CNIL states on its website:

"The PIA is a tool that allows the construction of a processing operation that is compliant with the GDPR and respects privacy, when a processing of personal data is likely to generate a high risk for the rights and freedoms of the data subjects."

It is understood from this sentence that a PIA is thus intended to be used at the design stage of a data processing operation, rather than ex post as a tool for analysing an existing processing operation.

However, as many processing operations were put in place before the arrival of the GDPR, PIAs must be carried out on processing operations already in place. Furthermore, the way an organisation operates and the dispersion of personal data processing operations means that it is still common, although not desirable, for PIAs to be carried out after a new personal data processing operation has been put into action.

How to use it

There is absolutely no need to use any software, either the one provided by the CNIL or a paying software offered by a publisher, although the latter may of course provide practical functionalities.

Any mode of use that allows the method to be followed and the results to be traced can be used, as simply as a document in text format. The CNIL provides a template for such a document.

If you are using a simple text file, trace the status of PIAs ("to do", "done", "in the process of being finalised", etc.) by entering a specific column or attribute in your processing register.

Benefits

The main benefit of a PIA, compared to considering the compliance of a processing operation without a particular method, is the exhaustiveness of the list of elements and criteria listed.

This allows, even if it may seem cumbersome, not to forget anything in the long list of elements that may impact on the compliance of a data processing operation.

Nothing escapes the PIA template, including seismic risks or anti-virus updates.

Furthermore, providing an action plan framework, however rudimentary, encourages organisations not to neglect this aspect, which may be obvious to some, but not to all. The framework encourages organisations not to carry out an analysis and put it in a drawer, but rather to design an action plan (and implement it) to mitigate the weaknesses revealed by the analysis.

When are they mandatory?

The GDPR originally defined the obligation of a PIA when a first rudimentary analysis reveals high risks. In view of this abstract and subjective criterion, certain objective criteria were subsequently defined by the CNIL which must be considered in addition to the probable existence of high risks which remains an applicable criterion to be borne in mind.

• Application for CNIL authorisation (health data processing): a PIA must be attached to the application.

• The processing meets at least 2 of the 9 criteria of the G29 guidelines:

  • evaluation/scoring (including profiling);

  • automatic decision making with legal or similar effect;

  • systematic monitoring;

  • collection of sensitive data or data of a highly personal nature;

  • large-scale collection of personal data;

  • data matching;

  • vulnerable persons (patients, elderly, children, etc.);

  • innovative use (use of new technology);

  • exclusion from a right/contract.

The CNIL has published a list of data processing operations for which a PIA must be carried out, but this is an aid to assessing the above criteria on a number of examples. Indeed, all the processing operations on this list meet at least 2 of the criteria from the G29 guidelines.

Tip: You have a lot of processing operations for which a PIA is mandatory and you do not know where to start? We advise you to combine the objective and subjective criteria : start with the processing operations for which a PIA is mandatory and which, in your opinion, involve the highest risks, and progress gradually by following this ranking.

When are they useful?

Trick question ! Carrying out a PIA is always useful because the breadth of criteria contained almost always reveals an aspect that has been little discussed or managed with questionable quality.

It is therefore extremely rare to finalise a PIA without any action for improvement being taken.

Difficulties of use

Lengthy and cumbersome

Carrying out an PIA can seem like a cumbersome and time-consuming task. We advise making it a real team effort, and allocating a set amount of time to it: for example, in 2 hours the PIA should be completed. How can this be achieved ? All the elements on which you are unsure or on which you need additional information can be integrated into the action plan at the end of the PIA, which will also allow the analysis to be kept alive.

Complexity of some questions or difficulties in understanding

An 85% completed PIA is always much more useful than no PIA. Do not let the apparent complexity of the task prevent you from analysing at least all the parts you know how to do. Again, keep the analysis process alive by involving the right actors at a later stage. That said, if you have assembled the right team to carry out the analysis, you should not encounter any major problems.

Mistakes not to be made

1. Trying to start from a blank PIA for each data processing operation: it is highly likely that many data processing operations within an organisation will have much in common, either in relation to the IT infrastructure they use or the data recipients involved.

It would be a shame not to reuse an existing PIA database to 'pre-fill' new PIAs, while of course checking that the information is still relevant.

2. Wanting to have it done by the DPO alone: not only is this not his role, as he should only facilitate the exercise, but it will result in a PIA of which many criteria will be poorly assessed (as a DPO is not a functional expert), and there will be no gain in understanding of the compliance issues and mechanisms for the data controllers who will not have participated in the analysis.

3. Wanting to do it without your DPO: solicit his or her expertise in personal data protection to ensure an analysis that is relevant to the purpose, but also to gain in efficiency because your DPO is familiar with the exercise.

Summary and advice

• Carry out a PIA before a new data processing operation goes into production: integrate the use of this tool into the design phase in a systematic way.

• Build up a library of pre-filled elements that will allow you to avoid re-analysing the same criteria indefinitely.

• Make it a team effort between data controllers, functional and technical specialists related to the processing, and the DPO.

• Use the action plan at the end of the PIA to frame the exercise and limit the time taken by the first analysis.

• Maintain an inventory of PIAs for each processing operation in the processing register.

This advice is based on our experience in assisting companies and public organisations with GDPR compliance or as an outsourced DPO.

Contact us to discuss and support your compliance with complete peace of mind.

Related blog posts:

• "End of garage kids"

• "2020 pandemic, cybersecurity and privacy for SMEs"

• "Personal data breaches: cybersecurity and the GDPR"

Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!

Find out more about our GDPR compliance services!

We need your answers!

By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!

Thank you for your responses!

Would you like to be informed of our news and receive our latest blog posts directly in your mailbox ? Subscribe to our monthly newsletter!

Would you like to discuss your difficulties, your needs, our offers ? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts !