The requirement for a privacy impact assessment (PIA) or data protection impact assessment (DPIA) was introduced with the General Data Protection Regulation (Art. 35 of the GDPR). This refers to the obligation of the controller to conduct an impact assessment and to document it before starting the intended data processing. It’s also required when major changes or upgrades are made to systems processing personal data.
This spreadsheet is a detailed template for conducting the required assessment. We also include a process guide diagram to help you implement the PIA more effectively.
3 Things to Know About Performing DPIA’s
Privacy impact assessments may often be complicated by several factors when getting ready to perform them. Here are some challenges to be aware of before you begin.
- Information Gathering: Gathering the required information can be a challenge when assessors have not been involved in every project. So, they end up chasing down leads to find out who data custodians are, diagrams, where data is stored etc. Assessors will also inevitably need to follow-up on requests for information from busy respondents whose priorities lie elsewhere.
- Continuous Re-evaluation: As organizations and processes change, DPIAs need to be continuously reviewed and reassessed. Keeping track of those review schedules and consequential actions is no easy task as it requires attention to detail.
- Manual Nature of DPIA’s: As organizations scale, so do the number of processing activities and requisite DPIA’s. The manual nature of performing the 7 steps of each assessment can be burdensome and inevitably clash with the need for speed in development environments. These steps include
- Describe the processing
- Consider consultation
- Assess necessity and proportionality
- identify and assess risks
- Identify measures to mitigate the risks
- Sign off and record outcomes