The GDPR requires organizations to perform a Privacy Impact Assessment (sometimes called DPIA where the D stands for Data) when processing activities are expected to have a high impact on data subjects. You will have to demonstrate that you’ve done this.
What gets assessed in a PIA
Through answering questions in a PIA – Privacy Impact Assessment, you will have to think about certain aspects of your processing activity. For instance: is it possible to do it any other way that has a lesser impact? If yes, than you’ll probably have to change your tactics. If no, than you may need mitigation plans and/or contingency plans.
- Mitigantion plans: are a strategy to lessen the impact on data subjects.
- Contingency plans: I like to refer to these as the ‘in case shit happens plan’. Because really that’s all they are. And I cannot stress enough how unbelievably important they are too! When you need to respond quickly/immediately it’s best to have a plan in place that tells you what to do. A guideline or checklist, if you will. Because your mind will be all over the place and this plan will help you to get things done. Do first, panic later!
By going through the list of questions you'll be able to determine for yourself if you should continue (or start - preferably you'd perform a PIA before you start that particular processing activity!) or if you need to modify certain processes to create a different outcome a.k.a. a lower impact.
What constitutes as a high impact?
Well, that all depends on the situation. And that’s where Risk Management comes in. In my humble opinion it is impossible, or at the very least irresponsible, to perform a PIA/DPIA without having a Risk Mangement strategy, process and policy in place. You must have determined (and documented) what constitutes as high impact within your organization. This can vary per company. And of course we can all name examples that are definitely considered a high impact on data subjects.
What if the conclusion of the PIA is: don't continue?!
It can very well be possible that the outcome of your PIA/DPIA is that you should not start/or continue that processing activity. So now what? Well, you start over. Not necessarily from scratch (that depends on the situation). A Privacy & Risk professional, such as myself, can help you tweak and change your processes and advise you what you need to do or change in order to get the go-ahead.
What happens if the PIA says it's a no-go, but I still do it anyway?
You will get nightmares and feel uncomfortable. And besides that you can receive very hefty fines (check out my blog: F is for Fines). Up to you, but it won't be in your best interest, that's for sure!
Why do you need Risk Management for performing a PIA / DPIA
The GDPR requires a risk-based approach. What works for another might not work for your organization, and vice versa. And depending on your risk appetite is, it can vary what your organization considers to be ‘high’ with regards to impact. If you have a good Risk Management strategy, policy and process in place you know when and how to act accordingly. A PIA or DPIA is an impact assessment with a list of questions that cannot be filled in (properly) without the above mentioned. As a certified Risk Management Practioner I'd be happy to help and/or advise you on how to set up your Risk Management processes and policies and help you with determining your Risk Management strategy.
Would you like to learn more? Sign up for the 60 Day Privacy & Risk Challenge
You’ll see throughout this blog that Risk Management is in constant contact with the GDPR. This is way I’ve started the 60 Day Privacy & Risk Challenge on LinkedIn. The challenge starts on February 3rd 2020 (English and Dutch). More information on 60daychallenge.eu